Vulnerabilities and security researches for loco-translate

Jun 06, 2024

CVE, Research URL: CVE-2022-0765
Application: Loco Translate
Date: Apr 18, 2022
Research Description: The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-24721
Application: Loco Translate
Date: Nov 08, 2021
Research Description: The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-37236
Application: Loco Translate
Date: -
Research Description: Loco Translate [loco-translate] < 2.6.10 CVE-2024-37236
Affected versions: Min -, max -.
Status: vulnerable

PSC, Research URL: PSC-2024-64537
Application: Loco Translate
Date: -
Research Description: Loco Translate is a powerful tool designed for seamless translation management directly within your WordPress dashboard. With over 1 million downloads, this plugin has established itself as a reliable choice for developers and website owners seeking an efficient way to manage translations while maintaining top-notch security. By combining advanced features with rigorous security protocols, Loco Translate has earned the prestigious Plugin Security Certification (PSC-2024-64537) from CleanTalk, ensuring a secure and trustworthy solution for all its users.
Affected versions: Min -, max -.
Status: SAFE & CERTIFIED