TranslatePress < 2.0.9 – Authenticated Stored Cross-Site Scripting | CVE 2021-24610 | Plugin Vulnerabilities

Description

The plugin does not implement a proper sanitisation on the translated strings. The 'trp_sanitize_string' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues.

Proof of Concept

As admin, go to the Translate frontend page (/?trp-edit-translation=true)
Select the 'Search' string to be translated, and put the following payload as the Translated Text: <img src onerror=alert(/XSS/)>
Then access the frontend as any user to trigger the XSS

https://drive.google.com/file/d/1PnvjHuKCvjmom6xz_sxNLBu3jixCiHy_/view?usp=sharing

Affects Plugins

translatepress-multilingual

Fixed in 2.0.9

References

CVE

URL

https://github.com/apapedulimu/Learn-Source-Code-Review/tree/main/Translate%20Multilingual%20sites%20%E2%80%93%20TranslatePress

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apapedulimu

Submitter

Nosa Shandy

Submitter website

https://apapedulimu.click

Submitter twitter

Verified

Yes

WPVDB ID

b87fcc2f-c2eb-4e23-9757-d1c590f26d3f

Timeline

Publicly Published

2021-08-30 (about 4 years ago)

Added

2021-08-30 (about 4 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2024-11-08

Title

Cowidgets – Elementor Addons <= 1.2.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2025-09-22

Title

Real Estate Manager <= 7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-11-21

Title

AffiliateImporterEb <= 1.0.6 - Reflected XSS via Search

Published

2016-07-29

Title

Clicky by Yoast <= 1.5 - Minor Security Improvements

Published

2014-08-01

Title

Artiss Code Embed 2.0.1 - wp-admin/admin.php suffix Parameter XSS