Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-24910

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
6.1MEDIUM
EPSS
24.2%
top 3.91%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown Transposh Wordpress TranslationTransposh Transposh Wordpress Translation
Timeline
PublishedAug 22
Latest updateAug 23

Description

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/transposh_wordpress_translation1.0.81.0.8

🔴Vulnerability Details

2
GHSA
GHSA-vvqg-9xpw-c884: The Transposh WordPress Translation WordPress plugin before 12022-08-23
CVEList
Transposh WordPress Translation < 1.0.8 - Reflected Cross-Site Scripting2022-08-22

💥Exploits & PoCs

1
Nuclei
WordPress Transposh Translation <1.0.8 - Cross-Site Scripting
CVE-2021-24910 (MEDIUM CVSS 6.1) | The Transposh WordPress Translation | cvebase.io