Authenticated Stored XSS on Custom text for the floating widget field - Translate WordPress – Google Language Translator
Version: 6.0.11
Author: Translate AI Multilingual Solutions
Last Updated: 2 weeks ago
Requires WordPress Version: 2.9 or higher
Compatible up to: 5.8
Active Installations: 100,000+
URL: https://wordpress.org/plugins/google-language-translator/
The vulnerability appears on the Custom text for the floating widget field, the parameter isn't escaped the HTML Injection. When taking a look at the source code, the parameter floating_widget_text not covered by any filter and makes it's vulnerable to XSS, since the parameter is saving the value. The Stored XSS can be happening and stored on the floating_widget_text parameter.
File: google-languange-translator.php
Line : 369 - 373
if( $is_active == 1) {
if ($floating_widget=='yes') {
$str.='<div id="glt-translate-trigger"><span'.($floating_widget_text_translation_allowed != 1 ? ' class="notranslate"' : ' class="translate"').'>'.(empty($floating_widget_text) ? 'Translate »' : $floating_widget_text).'</span></div>';
$str.='<div id="glt-toolbar"></div>';
} //endif $floating_widget
- Go to Setting Translate WordPress – Google Language Translator
- Input the HTML Payload / XSS payload such as
"<h1>asd</h1><img src=x onerror=alert(1)>" - Save
- The XSS will be executed
python3 exploit.py http://localhost:8888/wordpress/ admin admin
Stored XSS on the floating_widget_text parameter and can be affected to various user page.
Filter the floating_widget_text parameter with esc_attr function.
File: google-languange-translator.php
Line: 361
$floating_widget_text = esc_attr(get_option ('googlelanguagetranslator_floating_widget_text'));
05 August 2021 - Report To Vendor 06 August 2021 - Vendor Respond and says this is intended behaviour
Created this page is on 05 - August 2021