CVE-2021-24911

2022-08-2215:15:12

CWE-79

[email protected]

web.nvd.nist.gov

cve-2021-24911

transposh wordpress translation

wordpress plugin

stored cross-site scripting

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

24.8%

JSON

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin “Who can translate ?” setting.

Affected configurations

Vulners

NVD

Node

wordpresswordpressRange<1.0.8

VendorProductVersionCPE
wordpresswordpress*cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wordpress	wordpress	*	cpe:2.3:a:wordpress:wordpress::::::::

CNA Affected

[
  {
    "product": "Transposh WordPress Translation",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "1.0.8",
        "status": "affected",
        "version": "1.0.8",
        "versionType": "custom"
      }
    ]
  }
]