Tag Archives: Google Language Translator

Authenticated Persistent Cross-Site Scripting Vulnerability in Google Language Translator WordPress Plugin

The most recent version of the WordPress plugin Google Language Translator, 6.0.10, includes a change that “added url satinization to avoid XSS injections”. There are a couple of problems with that. First, because of the way the developer added the new version, it is not being made available either to existing or new users of the plugin. They are both being provided with 6.0.9 still. Second, the escaping (not sanitization) added, is missing elsewhere in the same lines of code, leading to an authenticated persistent cross-site scripting (XSS) vulnerability still being in the plugin.

We confirmed that there is an exploitable instance of this with the first line that was changed in the new version. [Read more]

Reflected Cross-Site Scripting (XSS) Vulnerability in Google Language Translator

We recently discovered the Google Language Translator plugin has a reflected cross-site scripting (XSS) vulnerability. In version 5.0.05, and some prior versions, the file /google-language-translator.php was echoing a POST variable without escaping it. That occurrs on line 1207:

<td><?php if (isset ($_POST['googlelanguagetranslator_flags_order']) ) { echo $_POST['googlelanguagetranslator_flags_order']; } ?></td>
 </tr>

Proof Of Concept

The following proof of concept page will cause any available cookies to shown in alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Google Language Translator

Authenticated Persistent Cross-Site Scripting Vulnerability in Google Language Translator WordPress Plugin

Reflected Cross-Site Scripting (XSS) Vulnerability in Google Language Translator

Proof Of Concept