CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18568 – My WP Translate <= 1.0.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18568
The my-wp-translate plugin before 1.0.4 for WordPress has XSS. El plugin my-wp-translate antes de 1.0.4 para WordPress tiene XSS. The My WP Translate plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on the 'tab' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser. • https://wordpress.org/plugins/my-wp-translate/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18569 – My WP Translate <= 1.0.3 - Unprotected AJAX Actions
https://notcve.org/view.php?id=CVE-2017-18569
The my-wp-translate plugin before 1.0.4 for WordPress has CSRF. El plugin my-wp-translate antes de 1.0.4 para WordPress tiene CSRF. The My WP Translate plugin for WordPress is vulnerable to an authorization bypass weakness in versions up to, and including, 1.0.3. This is due to missing capability checks and nonce validation on the following functions: ajax_translation_panel(), ajax_save_translation(), ajax_add_plugin(), ajax_remove_plugin(), ajax_save_state(), ajax_import_strings(), and ajax_update_export_code(). This makes it possible for low-privileged authenticated attackers to perform a wide variety of actions such as adding or removing plugins. • https://wordpress.org/plugins/my-wp-translate/#developers • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •