CVE-2025-8719

Vulnerability

Analysis

The Translate This gTranslate Shortcode WordPress plugin (versions up to and including 1.0) contains a Stored Cross-Site Scripting (XSS) vulnerability. The root cause is insufficient input sanitization and output escaping of the base_lang parameter in the shortcode's attributes [1]. The shortcode function translate_this_shortcode directly uses the unsanitized base_lang value in the generated HTML without proper validation or escaping [1]. This allows an attacker to inject arbitrary JavaScript code that persists on the page.

Exploitation

Prerequisites

An attacker must have authenticated access to the WordPress site with at least Contributor-level permissions (or higher). The attacker can then inject malicious scripts through the base_lang parameter when using the [translate_this] shortcode in a post or page. The injected script will execute automatically in the browser of any user who views the compromised page [description]. No additional user interaction beyond viewing the page is required.

Impact

Successful exploitation leads to stored XSS, which can result in session hijacking, redirection to malicious sites, defacement, or theft of sensitive data such as cookies and authentication tokens. The attack targets all users accessing the affected page, including administrators, making it a significant security risk for sites using this plugin.

Mitigation

Status

The plugin has been closed on the WordPress Plugin Directory as of August 14, 2025, due to this security issue and is no longer available for download [2]. Users should immediately remove the plugin from their WordPress installations to eliminate the vulnerability. No patched version exists, and the plugin is considered end-of-life.