CVE-2021-34630

Public Exploit

Reflected XSS in GTranslate Pro and GTranslate Enterprise < 2.8.65

Description

In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI']. Although this uses addslashes, and most modern browsers automatically URLencode requests, this plugin is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below, or in cases where an attacker is able to modify the request en route between the client and the server, or in cases where the user is using an atypical browsing solution.

References

Link	Tags
https://plugins.svn.wordpress.org/gtranslate/tags/2.8.64/gtranslate.php	third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2021-34630?: CVE-2021-34630 has been scored as a medium severity vulnerability.
How to fix CVE-2021-34630?: To fix CVE-2021-34630, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-34630 being actively exploited in the wild?: It is possible that CVE-2021-34630 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-34630?: CVE-2021-34630 affects Translate AI Multilingual Solutions GTranslate Pro and GTranslate Enterprise.

Description

Categories

CWE-116 – Improper Encoding or Escaping of Output

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions