CVE-2021-24910: 
WordPress vulnerability analysis and mitigation

The Transposh WordPress Translation WordPress plugin before version 1.0.8 contains a Reflected Cross-Site Scripting vulnerability, identified as CVE-2021-24910. The vulnerability was discovered by Julien Ahrens and publicly disclosed on February 22, 2022. The issue affects the plugin's AJAX functionality and is accessible to both authenticated and unauthenticated users when the curl library is installed (WPScan).

The vulnerability stems from improper sanitization and escaping of the 'a' parameter in an AJAX action. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. A proof of concept exploit involves sending a malicious request to '/wp-admin/admin-ajax.php' with specific parameters that can trigger cross-site scripting (WPScan, NVD).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who visit the affected pages. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (WPScan).

The vulnerability has been patched in version 1.0.8 of the Transposh WordPress Translation plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).