CVE-2021-24911

Name of the Vulnerable Software and Affected Versions Transposh WordPress Translation plugin versions prior to 1.0.8

Description The issue is related to Stored Cross-Site Scripting. It occurs because the tk0 parameter from the tp translation AJAX action is not properly sanitized and escaped. This leads to the execution of malicious scripts in the admin dashboard of the plugin. The minimum role required to perform such an attack depends on the plugin's "Who can translate?" setting.

Recommendations For versions prior to 1.0.8, update to version 1.0.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the tp translation AJAX action or disabling the tk0 parameter until a patch is applied. Additionally, review and adjust the "Who can translate?" setting to minimize the risk of exploitation.