CVE-2021-24610 in TranslatePress Plugininfo

Summary

by MITRE • 09/28/2021

The TranslatePress WordPress plugin before 2.0.9 does not implement a proper sanitisation on the translated strings. The 'trp_sanitize_string' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/03/2025

The vulnerability identified as CVE-2021-24610 affects the TranslatePress WordPress plugin version 2.0.8 and earlier, representing a critical security flaw that undermines the plugin's ability to properly sanitize user input. This weakness specifically targets the trp_sanitize_string function which was designed to prevent malicious script execution but fails to provide comprehensive protection against cross-site scripting attacks. The plugin's sanitization mechanism employs only a basic regular expression to remove script tags, leaving other potentially dangerous HTML elements and attributes intact, thereby creating a significant attack surface for malicious actors.

The technical implementation of this vulnerability stems from insufficient input validation and sanitization practices within the TranslatePress plugin's core functionality. The trp_sanitize_string function demonstrates a flawed security approach that relies on incomplete regex patterns to filter out script tags, while simultaneously failing to address other HTML elements such as iframe, object, embed, and event attributes that can execute javascript code. This oversight creates a pathway for authenticated attackers to inject malicious payloads that persist across user sessions, making the vulnerability particularly dangerous in multi-user environments where administrators or privileged users might be targeted.

From an operational perspective, this vulnerability enables authenticated stored cross-site scripting attacks that can have severe consequences for WordPress installations using the affected plugin. An attacker with appropriate privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, data theft, privilege escalation, or redirection to malicious websites. The stored nature of this XSS vulnerability means that once a malicious payload is injected, it remains persistent in the application's database and executes automatically whenever affected users access the translated content, creating a continuous threat vector.

The security implications of this vulnerability align with CWE-79 which categorizes cross-site scripting as a critical weakness in web applications, specifically addressing the improper neutralization of input during web page generation. This flaw also maps to ATT&CK technique T1566.002 which covers the exploitation of web application vulnerabilities to execute malicious code in user browsers. Organizations using TranslatePress plugin versions prior to 2.0.9 face significant risk of compromise, particularly in environments where multiple users have administrative access or where the plugin is used to translate content that may be viewed by unauthenticated users.

Mitigation strategies for CVE-2021-24610 should prioritize immediate plugin updates to version 2.0.9 or later, which contains the necessary sanitization improvements. Additionally, administrators should implement proper input validation at multiple layers, including content filtering, HTML attribute restriction, and comprehensive sanitization of all user-provided data. Network monitoring should be enhanced to detect unusual script injection patterns, and access controls should be reviewed to limit the number of users with privileges that could exploit this vulnerability. Security professionals should also consider implementing Content Security Policy headers as an additional defense-in-depth measure to prevent execution of unauthorized scripts, while maintaining regular vulnerability scanning to identify similar issues in other WordPress plugins or themes.

Reservation

01/14/2021

Disclosure

09/28/2021

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.05432

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!