Unrated severityNVD Advisory· Published Apr 18, 2022· Updated Aug 2, 2024

Loco Translate < 2.6.1 - Authenticated Stored Cross-Site Scripting

CVE-2022-0765

Description

The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.

Affected products

WordPress/Loco Translatev5
Range: 2.6.1
Package: https://wordpress.org/plugins/loco-translate

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.006
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000