Lucene search

[email protected]NVD:CVE-2021-24911

HistoryAug 22, 2022 - 3:15 p.m.

CVE-2021-24911

2022-08-2215:15:12

CWE-79

[email protected]

web.nvd.nist.gov

transposh

wordpress plugin

cross-site scripting

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

24.8%

JSON

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin “Who can translate ?” setting.

Affected configurations

Nvd

Node

transposhtransposh_wordpress_translationRange<1.0.8wordpress

VendorProductVersionCPE
transposhtransposh_wordpress_translation*cpe:2.3:a:transposh:transposh_wordpress_translation:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
transposh	transposh_wordpress_translation	*	cpe:2.3:a:transposh:transposh_wordpress_translation::::::wordpress::*

References

wpscan.com/vulnerability/bd88be21-0cfc-46bd-b78a-23efc4868a55