CVE-2021-24610

MEDIUM

TranslatePress < 2.0.9 - Authenticated Stored Cross-Site Scripting via Insufficient String Sanitization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-24610. PoCs published by Nosa Shandy.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in WordPress Plugin TranslatePress 2.0.8. The exploit leverages insufficient sanitization of the 'translated' parameter, allowing an attacker to inject malicious JavaScript via HTML tags like <img src=x onerror=alert(4)>.

Description

The TranslatePress WordPress plugin before 2.0.9 does not implement a proper sanitisation on the translated strings. The 'trp_sanitize_string' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues.

Exploits (1)

exploitdb WRITEUP
by Nosa Shandy · textwebappsphp
https://www.exploit-db.com/exploits/50343

This is a writeup describing a stored XSS vulnerability in WordPress Plugin TranslatePress 2.0.8. The exploit leverages insufficient sanitization of the 'translated' parameter, allowing an attacker to inject malicious JavaScript via HTML tags like <img src=x onerror=alert(4)>.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin TranslatePress 2.0.8
Auth required
Prerequisites: Authenticated access to the WordPress admin panel · TranslatePress plugin version 2.0.8 or earlier
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/b87fcc2f-c2eb-4e23-9757-d1c590f26d3f

Scores

CVSS v3 4.8
EPSS 0.0543
EPSS Percentile 91.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
cozmoslabs/translatepress < 2.0.9
Published Sep 27, 2021
Tracked Since Feb 18, 2026