cleantalk
Vulnerabilities and Security Researches

Loco Translate, CVE-2022-0765

CVE, Research URL

CVE-2022-0765

Home page URL

Security reports for Loco Translate

Application

Loco Translate

Published on
Apr 18, 2022
Research Description
The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.
Affected versions
Min -, max 2.6.1.
Status
vulnerable
Previous vulnerability researches
Loco Translate , Dec 20, 2024
Loco Translate (CVE-2024-37236) , Jun 24, 2024
Loco Translate (CVE-2022-0765) , Jun 06, 2024
Loco Translate (CVE-2021-24721) , Jun 06, 2024
New vulnerability
Osom Blocks – Custom Post Type listing block (CVE-2025-5940) , Jun 27, 2025
Post Rating and Review (CVE-2025-6538) , Jun 27, 2025
WP Masonry & Infinite Scroll (CVE-2025-5488) , Jun 27, 2025
Modern Design Library (CVE-2025-5842) , Jun 27, 2025
FastBook – Responsive Appointment Booking and Scheduling System (CVE-2025-25173) , Jun 27, 2025