CVE-2024-0632

Vulnerability

The Automatic Translator with Google Translate plugin for WordPress auto-translate versions up to and including 1.5.4 suffer from a Stored Cross-Site Scripting (XSS) vulnerability in the custom font setting. The plugin fails to properly sanitize user input and escape output, allowing arbitrary web scripts to be injected. This issue only affects multi-site installations or WordPress setups where the unfiltered_html capability has been disabled for administrator-level users [1].

Exploitation

An attacker must be an authenticated user with administrator-level access to the WordPress site. On a multi-site network or an installation with unfiltered_html disabled, the attacker can inject malicious JavaScript into the custom font setting field. When any user (including lower-privileged users or visitors) accesses a page rendered with this setting, the injected script executes in their browser [1].

Impact

Successful exploitation results in stored cross-site scripting, enabling the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or redirection to malicious sites. The attacker does not need to compromise the server directly; the injected script runs at the privilege level of the victim [1].

Mitigation

The vulnerability is fixed in version 1.7.0, where a custom CSS textarea was added and presumably the input sanitization improvements were included. The latest version is 1.7.1, released on 2026-05-21. Users should update to version 1.7.0 or later. No workaround is provided in the available references; if updating is not immediately possible, consider disabling the custom font setting on administrator-level users or restricting the unfiltered_html capability [1].