Description

WPML is a WordPress plugin for building multilingual WordPress sites. A vulnerability has been found in the WPML plugin up to version 3.6.3 that allows an attacker to inject arbitrary html and script code into the WordPress site. This vulnerability affects the file sitepress.class.php and can be exploited via the POST parameter locale_file_name_en.

Remediation

Upgrade to the latest version of the WPML plugin.

References

Sitepress Multilingual CMS Plugin Unauthenticated Stored XSS

The WordPress Multilingual Plugin

Related Vulnerabilities

WordPress Plugin Jibu Pro Cross-Site Scripting (1.7)

Joomla! Core 1.5.x Cross-Site Scripting (1.5.0 - 1.5.9)

WordPress Plugin Ad Blocker Notify Lite Cross-Site Scripting (2.4.0)

WordPress Plugin WP Admin UI Customize Cross-Site Scripting (1.5.2.6)

WordPress Plugin White Label CMS Cross-Site Scripting (2.2.8)

Severity

High

Classification

CVE-2018-18069 CWE-80 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Tags

XSS