CVE-2022-0765 The Loco Translate plugin before 2.6.1 has an inline events in the source translation strings that can be accessed by any user.

CVE-2022-0765 The Loco Translate plugin before 2.6.1 has an

inline events in the source translation strings that can be

accessed by any user.

This issue was fixed in version 2.6.2, released on December 20, 2017. In the latest version, 2.6.5, released on March 27, 2018, the developer removed all inline event handlers. We recommend upgrading the plugin to version 2.6.2 or higher as soon as possible. If you cannot upgrade the plugin, you can remove the inline event handlers from the source strings to prevent XSS.

Description:

The vulnerable code is when the developer has inline event handlers in the source strings. In other words, the developer has not taken any precautions to make sure that data sent to the inline event handler is sanitized before it is used. This leaves the possibility of an XSS vulnerability where users can inject harmful scripts into your site's HTML and JavaScript.

Summary

An XSS vulnerability was found in the 'WooCommerce' plugin. By exploiting this vulnerability, you can steal data from a server by sending an HTTP request. The vulnerability was fixed in 2.6.5 released on March 27th, 2018 which removed all inline event handlers. We recommend upgrading to version 2.6.2 or higher as soon as possible. You can find out more information on how to remove the inline event handlers here: https://docs.woothemes.com/document/plugin-injection-protection-removal

The WooCommerce plugin has an XSS vulnerability that would allow hackers to steal data from your server by sending an HTTP request to the website's admin panel through input fields with malicious code present in them like "xss=1& xsrf=1". This issue was fixed in version 2.6.2, released on December 20th, 2017, and it is recommended that you upgrade your plugin as soon as possible if you cannot upgrade the plugin then you can use a tool like Tamperdata (or similar) to find and remove the inline event handlers to prevent exploitation of this vulnerability

Inline event handler vulnerability example

Description

The WordPress plugin Cross Site Scripting (XSS) Scanner was found to be vulnerable to XSS attacks.
It is possible for an attacker to post content on a WordPress website that would allow them to steal a users session cookies and execute javascript code in the context of the browser.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe