CVE-2021-24610

MEDIUM

Cozmoslabs Translatepress < 2.0.9 - XSS

Title source: rule

Description

The TranslatePress WordPress plugin before 2.0.9 does not implement a proper sanitisation on the translated strings. The 'trp_sanitize_string' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues.

Exploits (1)

exploitdb WRITEUP

by Nosa Shandy · textwebappsphp

https://www.exploit-db.com/exploits/50343

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/b87fcc2f-c2eb-4e23-9757-d1c590f26d3f

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/164306/WordPress-TranslatePress-2.0.8-Cross-Site-Scripting.html

Scores

CVSS v3 4.8

EPSS 0.0157

EPSS Percentile 81.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

cozmoslabs/translatepress < 2.0.9

Published Sep 27, 2021

Tracked Since Feb 18, 2026