Transposh WordPress Translation < 1.0.8 – Reflected Cross-Site Scripting | CVE 2021-24910

Description

The plugin does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=tp_tp&e=g&m=s&tl=en&q=Calendly%20URL%3Cimg%20src%3dx%20onerror%3dalert(/XSS/)%3E

Affects Plugins

transposh-translation-filter-for-wordpress

Fixed in 1.0.8

References

CVE

CVE-2021-24910

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Original Researcher

Julien Ahrens

Verified

Yes

WPVDB ID

b5cbebf4-5749-41a0-8be3-3333853fca17

Timeline

Publicly Published

2022-02-22 (about 3 years ago)

Added

2022-07-28 (about 3 years ago)

Last Updated

2023-04-27 (about 2 years ago)

Other

Published

Title

Published

2018-05-14

Title

WP ULike <= 3.1 - Unauthenticated Stored XSS

Published

2025-06-19

Title

CP Polls <= 1.0.81 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2020-06-19

Title

CityBook < 2.4.4 - Unauthenticated Reflected XSS

Published

2025-04-01

Title

DobsonDev Shortcodes <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-07-30

Title

WP Modal Popup with Cookie Integration < 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting