CVE-2018-18069
MEDIUM NUCLEIWPML 1.3.3-3.6.3 - Authenticated Stored Cross-Site Scripting via locale_file_name Parameter
Title source: llmExploitation Summary
CVE-2018-18069 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php.
Nuclei Templates (1)
WordPress sitepress-multilingual-cms 3.6.3 - Cross-Site Scripting
MEDIUMby nadino
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://0x62626262.wordpress.com/2018/10/08/sitepress-multilingual-cms-plugin-unauthenticated-stored-xss/
Scores
CVSS v3
6.1
EPSS
0.1276
EPSS Percentile
95.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
wpml/wpml
1.3.3 - 3.6.3
Published
Oct 08, 2018
Tracked Since
Feb 18, 2026