← Retour aux CVEs
CVE-2022-0765
MEDIUM5.4
Description
The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.
Details CVE
Score CVSS v3.15.4
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurREQUIRED
Publie4/18/2022
Derniere modification11/21/2024
Sourcenvd
Observations honeypot0
Produits affectes
loco_translate_project:loco_translate
Faiblesses (CWE)
CWE-79
References
https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587(contact@wpscan.com)
https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587(af854a3a-2127-422b-91ae-364da2661108)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.