CVE-2021-24911

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
5.4MEDIUM
EPSS
0.5%
top 34.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Transposh Wordpress TranslationTransposh Transposh Wordpress Translation
Timeline
PublishedAug 22
Latest updateAug 23

Description

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin "Who can translate ?" setting.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/transposh_wordpress_translation1.0.81.0.8

🔴Vulnerability Details

2
GHSA
GHSA-p553-xq2c-fgrg: The Transposh WordPress Translation WordPress plugin before 12022-08-23
CVEList
Transposh WordPress Translation < 1.0.8 - Stored Cross-Site Scripting2022-08-22
CVE-2021-24911 (MEDIUM CVSS 5.4) | The Transposh WordPress Translation | cvebase.io