Lucene search

WPScanCVE-2021-24911

HistoryAug 22, 2022 - 3:15 p.m.

CVE-2021-24911

2022-08-2215:15:12

CWE-79

WPScan

web.nvd.nist.gov

cve-2021-24911

transposh wordpress translation

wordpress plugin

stored cross-site scripting

nvd

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

24.8%

JSON

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin “Who can translate ?” setting.

Affected configurations

Nvd

Vulners

Node

transposhtransposh_wordpress_translationRange<1.0.8wordpress

VendorProductVersionCPE
transposhtransposh_wordpress_translation*cpe:2.3:a:transposh:transposh_wordpress_translation:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
transposh	transposh_wordpress_translation	*	cpe:2.3:a:transposh:transposh_wordpress_translation::::::wordpress::*

CNA Affected

[
  {
    "product": "Transposh WordPress Translation",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "1.0.8",
        "status": "affected",
        "version": "1.0.8",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/bd88be21-0cfc-46bd-b78a-23efc4868a55

Social References