CVE-2022-0765

Loco Translate < 2.6.1 - Authenticated Stored Cross-Site Scripting

EPSS 4.0%CWE-79

Vexday Risk Score

18Bajo

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS —EPSS 4.0%KEV nãoPoC —Nuclei simMetasploit —Patch —

Ciclo de vida

18 abr 2022Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.

Productos afectados

Unknown · Loco Translate

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587