CVE-2022-0765
Last modified
CVE-2022-0765 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.. EPSS estimates a 4.01% chance of exploitation in the next 30 days.
Description
The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Loco Translate Project | Loco Translate | < 2.6.1 |
References
- https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587Exploit, Third Party Advisory
- https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-0765?
How severe is CVE-2022-0765?
How do I fix CVE-2022-0765?
Are you affected by CVE-2022-0765?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST