1. Home
  2. CVE Database
  3. CVE-2022-0765
MEDIUM · 5.4

CVE-2022-0765

The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, ...

Vulnerability Description

The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
Loco Translate ProjectLoco Translate< 2.6.1

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2022-0765?

CVE-2022-0765 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, ...

How severe is CVE-2022-0765?

CVE-2022-0765 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-0765?

Check the references section above for vendor advisories and patch information. Affected products include: Loco Translate Project Loco Translate.