Loco Translate < 2.6.1 - Authenticated Stored Cross-Site Scripting
CVE-2022-0765

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Loco Translate
Vendor: CVE Published:; 18 April 2022

Summary

The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.

Affected Version(s)

Loco Translate 2.6.1

References

https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 18, 2022
Vulnerability Reserved
Feb 25, 2022

Credit

Taurus Omar