TranslatePress < 2.0.9 - Authenticated Stored Cross-Site Scripting

An authenticated attacker can inject malicious JavaScript payloads into translated strings. The 'trp_sanitize_string' function, which is intended to sanitize these strings, only removes script tags using a regular expression. This allows other HTML tags and attributes that can execute JavaScript, such as the `onerror` attribute, to be stored and later executed when the translated content is displayed [ref_id=1]. The vulnerability can be triggered by navigating to the translation editing interface and inputting a payload like `<img src=x onerror=alert(4)>` into a gettext string, then saving it [ref_id=1].

The vulnerability lies within the 'trp_sanitize_string' function in the TranslatePress WordPress plugin. This function is responsible for sanitizing translated strings before they are stored in the database. The current implementation uses a regular expression to remove only script tags, leaving other HTML tags and attributes that can execute JavaScript vulnerable.

The patch is not available in the provided information. The advisory indicates that the 'trp_sanitize_string' function only removes script tags, allowing other HTML tags and attributes to execute JavaScript. Proper sanitization should remove or neutralize all potentially harmful HTML and JavaScript code, not just script tags.

1. Go to http://localhost:8888/wordpress/?trp-edit-translation=true 2. Input Gettext String 3. Input the payload such as <img src=x onerror=alert(4)> 4. Save, The payload will be executed. 5. Look on the homepage will be affected.