CVE-2021-24912 Transposh WordPress Translation < 1.0.8 - CSRF to Stored XSS

2022-08-2214:56:37

CWE-79

CWE-352

WPScan

www.cve.org

cve-2021-24912

wordpress

csrf

stored xss

translation plugin

sanitisation

admin context

EPSS

0.001

Percentile

21.2%

JSON

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin

CNA Affected

[
  {
    "product": "Transposh WordPress Translation",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "1.0.8",
        "status": "affected",
        "version": "1.0.8",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/349483e2-3ab5-4573-bc03-b1ebab40584d

EPSS

0.001

Percentile

21.2%

JSON

Related for CVELIST:CVE-2021-24912