GTranslate < 2.8.65 – Reflected Cross-Site Scripting (XSS) | CVE 2021-34630

Description

In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI']. Although this uses addslashes, and most modern browsers automatically URLencode requests, this plugin is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below, or in cases where an attacker is able to modify the request en route between the client and the server, or in cases where the user is using an atypical browsing solution.

Proof of Concept

https://example.com/?page</script><script>alert(123);</script>

Affects Plugins

gtranslate

Fixed in 2.8.65

References

CVE

CVE-2021-34630

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34630

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.0 (medium)

Miscellaneous

Submitter

Wordfence

Submitter website

https://wordfence.com

Verified

Yes

WPVDB ID

dfac81bb-7807-4288-aee3-43c7653c6446

Timeline

Publicly Published

2021-07-23 (about 4 years ago)

Added

2021-07-23 (about 4 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2025-01-18

Title

Tijaji <= 1.43 - Reflected Cross-Site Scripting

Published

2024-11-21

Title

Premium Packages – Sell Digital Products Securely < 5.9.4 - Reflected Cross-Site Scripting via add_query_arg

Published

2014-08-01

Title

EZPZ One Click Backup <= 12.03.10 - Cross-Site Scripting (XSS)

Published

2024-09-30

Title

WP-Lister Lite for eBay < 3.6.5 - Reflected Cross-Site Scripting

Published

2025-04-09

Title

One Click Accessibility < 3.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting