CVE-2021-24912

State: PUBLISHED · Published: 2022-08-22 · Updated: 2024-08-03 · Assigner: WPScan

Description

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin

CWE

CWE-352 — CWE-352 Cross-Site Request Forgery (CSRF)
CWE-79 — CWE-79 Cross-Site Scripting (XSS)

Affected

Unknown / Transposh WordPress Translation — v=1.0.8 <1.0.8 [affected]

CVSS

(none)

References

https://wpscan.com/vulnerability/349483e2-3ab5-4573-bc03-b1ebab40584d x_refsource_MISC

Source

cvelistV5-main/cves/2021/24xxx/CVE-2021-24912.json