Transposh WordPress Translation 1.0.7 Cross Site Scripting
Posted by deepcore on July 30, 2022 – 7:27 pm
Transposh WordPress Translation versions 1.0.7 and below have an ajax action “tp_tp” that is vulnerable to an unauthenticated/authenticated reflected cross site scripting vulnerability when user-supplied input to the HTTP GET parameter “q” is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code onto the same page.
Post a reply
You must be logged in to post a comment.