CVE-2022-0765

MEDIUM NUCLEI

Loco Translate <2.6.1 - XSS

Title source: llm

Description

The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.

Nuclei Templates (1)

WordPress Loco Translate < 2.6.1 - Cross-Site Scripting

MEDIUMVERIFIEDby 0x_Akoko

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587

Scores

CVSS v3 5.4

EPSS 0.0730

EPSS Percentile 91.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

loco_translate_project/loco_translate < 2.6.1

Published Apr 18, 2022

Tracked Since Feb 18, 2026