The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587 | Exploit Third Party Advisory |
https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587 | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 06:39
Type | Values Removed | Values Added |
---|---|---|
References | () https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587 - Exploit, Third Party Advisory |
Information
Published : 2022-04-18 18:15
Updated : 2024-11-21 06:39
NVD link : CVE-2022-0765
Mitre link : CVE-2022-0765
CVE.ORG link : CVE-2022-0765
JSON object : View
Products Affected
loco_translate_project
- loco_translate
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')