CVE-2021-24912: 
WordPress vulnerability analysis and mitigation

CVE-2021-24912 affects the Transposh WordPress Translation plugin versions before 1.0.8. The vulnerability was discovered by Julien Ahrens and was publicly disclosed on February 22, 2022. This security issue combines a Cross-Site Request Forgery (CSRF) vulnerability with a potential Stored Cross-Site Scripting (XSS) attack vector in the WordPress plugin (WPScan).

The vulnerability stems from the absence of CSRF protection in the plugin's tp_translation AJAX action. Additionally, the tk0 parameter lacks proper sanitization, creating a compound security risk. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity (NVD).

When exploited, this vulnerability allows attackers to manipulate authorized users into adding translations to the system. More critically, due to the lack of input sanitization, these malicious translations can contain stored XSS payloads that execute in the context of a logged-in administrator, potentially compromising the website's security (WPScan).

The vulnerability has been patched in version 1.0.8 of the Transposh WordPress Translation plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).