The WPML plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpml_language_switcher shortcode in versions 3.6.0 - 4.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NWpml
APPWpml3.6.0 – 4.7.4 (bez)
Powiązane podatności
RCE w pluginie WPML dla WordPress via Twig Server-Side Template Injection
The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allow...
SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute a...
Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows user...
Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows user...