4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
65.5%
High-Tech Bridge Security Research Lab discovered vulnerability in qTranslate WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against website administrators. Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the web application, if the victim visits a malicious page with XSS exploit. This vulnerability can also be used to perform drive-by-download or phishing attacks against website administrators.
Input passed via “edit” HTTP GET parameter to “/wp-admin/options-general.php” is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
A simple exploit below will display a JS popup with “ImmuniWeb” word:
http://wordpress/wp-admin/options-general.php?page=qtranslate&edit=">< script%3Ealert%28%2FImmuniWeb%2F%29%3B%3C%2Fscript%3E
CPE | Name | Operator | Version |
---|---|---|---|
qtranslate wordpress plugin | le | 2.5.39 |