Translation Exchange <= 1.0.14 - Authenticated Stored Cross-Site Scripting (XSS)
Description
The Translation Exchange WordPress plugin through 1.0.14 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) within the Project Key text field found in the plugin's settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Translation Exchangedescription
- Range: <=1.0.14
Patches
Vulnerability mechanics
Root cause
"Missing output sanitization/escaping of the Project Key input field allows stored script injection."
Attack vector
An attacker must first be authenticated as a user with access to the plugin's settings page. The attacker then injects malicious JavaScript into the "Project Key" text field, which is stored by the plugin and later rendered unsanitized in the administrative interface. When other authenticated users (including administrators) view the settings page, the stored payload executes in their browser session, leading to Stored Cross-Site Scripting (XSS) [CWE-79] [ref_id=1].
Affected code
The vulnerability resides in the Translation Exchange plugin's settings page, specifically in the "Project Key" text field. The advisory does not specify a particular file or function name, but the input field is part of the plugin's administrative settings interface [ref_id=1].
What the fix does
The advisory states that no known fix is available for this vulnerability [ref_id=1]. As of the last update, the plugin through version 1.0.14 remains unpatched. Remediation would require the plugin developer to properly escape or sanitize the "Project Key" input before storing it and/or before rendering it in the settings page to prevent script execution.
Preconditions
- authAttacker must be authenticated as a user with access to the plugin's settings page
- configThe vulnerable plugin (Translation Exchange) must be installed and activated
- inputAttacker must be able to submit input to the Project Key text field
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/c0dd3ef1-579d-43a4-801a-660c41495d58mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.