WBase de Datos de Vulnerabilidades de WordPress

Alerta de seguridad de Hong Kong Prisna GWT XSS (CVE202412680)

Cross Site Scripting (XSS) en el plugin Prisna GWT – Google Website Translator de WordPress
0
Compartidos
0
0
0
0
Nombre del plugin Prisna GWT – Google Website Translator
Tipo de vulnerabilidad Scripting entre sitios (XSS)
Número CVE CVE-2024-12680
Urgencia Baja
Fecha de publicación de CVE 2026-01-30
URL de origen CVE-2024-12680

CVE-2024-12680: Admin Stored XSS in Prisna GWT – Google Website Translator (≤ 1.4.13) — What WordPress Site Owners Need to Know

Autor: Experto en seguridad de Hong Kong · Fecha: 2026-01-30

TL;DR — A stored Cross‑Site Scripting (XSS) vulnerability (CVE‑2024‑12680) affects Prisna GWT – Google Website Translator plugin versions older than 1.4.14. Exploitation requires an authenticated administrator to interact (user interaction required) but can result in script execution in the admin context. Update to 1.4.14 immediately, audit the database for injected scripts, and apply temporary mitigations including WAF rules and admin account hardening.

Resumen

On 30 January 2026 a stored Cross‑Site Scripting (XSS) vulnerability affecting the WordPress plugin “Prisna GWT – Google Website Translator” (versions < 1.4.14) was published and assigned CVE‑2024‑12680. The vulnerability is classified as an “Admin+ Stored XSS” — meaning a privileged account (administrator) can be targeted, and a malicious payload saved in plugin data will execute in the browser when certain admin pages or UI elements are viewed or interacted with.

Although the vulnerability’s base severity is moderate (CVSS 5.9), the practical risk is limited by the required privileges and user interaction. However, stored admin‑side XSS can enable post‑exploitation actions such as:

  • Injection of administrative JavaScript to facilitate persistence (e.g., changing site options or introducing backdoors)
  • Stealing cookies or authentication tokens of administrators (session takeover)
  • Triggering further automated attacks or lateral movement when chained with other flaws
  • Injecting malicious admin UI elements to phish credentials or introduce malicious redirects

This guide explains the issue, safe detection steps, mitigation options, and recovery guidance from the perspective of a Hong Kong security practitioner.

What exactly is an “Admin Stored XSS”?

Stored XSS occurs when user-supplied data is stored on the server and later rendered to users without proper sanitization or encoding. In an “Admin Stored XSS” case:

  • The payload is stored in plugin options, admin settings, or other server‑side storage by an attacker (or a compromised admin account).
  • When another administrator (or the same admin performing a routine task) opens a plugin admin page, the stored script executes in their browser context.
  • Because this executes within the administrator’s browser and with the privileges of that user, it can perform any action the user can perform via the UI — including changing settings, editing theme/plugin files, creating new users, etc.

In this report, the plugin accepts admin input that was insufficiently sanitized or escaped before being output in the admin UI.

Scope and affected versions

  • Affected plugin: Prisna GWT – Google Website Translator
  • Affected versions: any version older than 1.4.14 (< 1.4.14)
  • Fixed in: 1.4.14
  • CVE: CVE‑2024‑12680
  • Privilegio requerido: Administrador
  • User interaction: Required (the admin must view/click a crafted page or link)
  • OWASP Category: A3 — Injection (Cross‑Site Scripting)
  • Patch priority: Low (but roll out is still recommended as soon as possible)

Why you should still care (even if it needs admin access)

Many site compromises begin with admin credential theft or social engineering. Attackers can obtain admin credentials through phishing, reused passwords, or compromised developer tools. Stored XSS in the admin UI is attractive because it allows attackers to:

  • Turn a single compromised admin session into persistent control through code injection or configuration changes
  • Circumvent server‑side protections by manipulating the admin’s browser (client‑side persistence)
  • Use social engineering to trick an admin into loading a crafted URL or opening a specific settings page

Therefore, despite the privilege requirement, downstream impacts can be severe.

High‑level exploitation flow (non‑actionable)

Note: No exploit code or step‑by‑step weaponisation instructions are provided.

  1. A privileged user is tricked into visiting a crafted admin URL or interacting with a malicious input form.
  2. The attacker uses plugin settings or option fields to store a payload containing JavaScript.
  3. When an admin opens the relevant plugin admin page, the browser executes the stored script.
  4. The script acts in the context of the admin’s authenticated session — changing options, adding users, exfiltrating tokens, etc.

Immediate remediation is to remove the vulnerable output path or update to the patched plugin.

Acciones inmediatas (qué hacer ahora mismo)

If you run WordPress sites with this plugin installed, take these steps immediately:

  1. Update Immediately
    • Update the plugin to version 1.4.14 (or later) across production, staging and development environments as soon as possible.
    • If automatic updates are not enabled, schedule the update and centralise updates where possible.
  2. Si no puedes actualizar de inmediato, desactiva el plugin
    • Temporarily deactivate the plugin until it can be updated. This removes the vulnerable admin UI output where stored payloads can execute.
  3. Audit administrator accounts and sessions
    • Obligue a un restablecimiento de contraseña para todas las cuentas de administrador.
    • Invalidate all active sessions (use session management tools or WP‑CLI where available).
    • Enable Two‑Factor Authentication (2FA) for all administrators.
  4. Scan for injected script content
    • Search the database for suspicious strings commonly associated with XSS: <script, onerror=, onload=, javascript:, document.cookie, innerHTML= and other patterns.
    • Check plugin-specific options (wp_options rows with option_name matching the plugin’s keys), plus post_meta and term_meta areas the plugin may use.
    • Run searches on a staging copy to avoid accidental changes to production data.
  5. Use a Web Application Firewall (WAF) to create temporary protections
    • Add WAF rules to block admin POST requests that contain script tags or dangerous attributes.
    • Block requests with javascript: URIs or encoded script sequences (e.g. %3Cscript).
    • Prevent unauthenticated or low‑privilege users from accessing sensitive admin endpoints.
  6. Review and clean any detected injections
    • If you find injected scripts in the database, remove them carefully.
    • Consider restoring from a clean backup if you cannot confidently remove all malicious entries.
    • Rotate API keys and credentials stored in options after cleaning.

Detección: cómo encontrar signos de explotación

Busca los siguientes indicadores:

  • New or modified administrator user accounts you did not create
  • Unexpected changes in plugin or theme files
  • Recent modifications to the site’s wp_options table entries linked to the translator plugin
  • HTML containing <script> or event handler attributes inside admin option fields
  • Unusual outbound connections from the site
  • Administrative logins from unknown IP addresses or abnormal times

Sample SQL queries for investigation (run from a secure environment or staging copy):

SELECT option_id, option_name, option_value
FROM wp_options
WHERE option_value LIKE '%
SELECT meta_id, meta_key, meta_value
FROM wp_postmeta
WHERE meta_value LIKE '%
SELECT option_id, option_name FROM wp_options
WHERE option_value LIKE '%onerror=%' OR option_value LIKE '%onload=%' OR option_value LIKE '%javascript:%';

Always run searches on a database copy to avoid accidental changes in production.

Safe cleanup and recovery guidance

  1. Isolate first
    • Put the site in maintenance mode and disable the vulnerable plugin until cleanup finishes.
  2. Backup
    • Take a full backup of site files and the database, preserving the current state for forensic review.
  3. Remove injected content safely
    • Replace or remove offending option values using carefully scoped UPDATE queries or WP‑CLI search‑replace.
    • Avoid naïve regex replacements that can corrupt serialized PHP data — use serialization‑aware tools.
  4. Harden and restore
    • Reinstall the plugin from a fresh copy downloaded from the official plugin repository after updating to the patched version.
    • Reset admin passwords and API keys; enable 2FA and review user permissions.
  5. Monitor
    • Monitor for anomalous behaviour for several weeks: new admin users, file changes, unexpected outbound traffic.

WAF recommendations (temporary virtual patches)

A Web Application Firewall can provide fast, temporary protection by filtering malicious payloads before they reach plugin code. Below are rule concepts — tune them to your environment and test in monitor mode first.

  1. Block POST bodies to admin endpoints containing suspicious tokens

    Den y requests to /wp-admin/* or admin-post.php when the body contains <script, onerror=, onload=, javascript: or encoded variants like %3Cscript.

    Conceptual regex (PCRE, case-insensitive):

    (?i)(<\s*script\b|javascript:|onerror\s*=|onload\s*=|document\.cookie|innerHTML\s*=)
  2. Sanitize output for known admin pages (advanced)

    Configure the WAF to strip script tags and event handler attributes from HTML responses to /wp-admin/* pages where possible. Response modification can impact functionality — test carefully.

  3. Protect plugin-specific AJAX endpoints

    Block POST/GET parameters that contain script tags or suspicious keywords for plugin-related AJAX actions.

  4. Rate limit sensitive admin actions

    Apply stricter rate limits for actions that modify options, create users, or upload files. Require re-authentication for high-risk changes.

  5. IP allow/deny lists

    Where feasible, restrict /wp-admin/ access to known IP ranges or require a VPN/gateway for admin access.

  6. Content Security Policy (CSP) for admin pages

    A restrictive CSP can help prevent inline script execution even if malicious code is present. Example header for admin pages (test for compatibility):

    Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; object-src 'none'; frame-ancestors 'none';

Deploy WAF rules in monitor mode first to identify false positives, then enforce after tuning.

Example WAF rule templates (conceptual — tune & test)

These are conceptual rules you can implement in your WAF management console. They are expressed as logic rather than copy‑paste rules.

  • Rule 1: Block suspicious script payloads in admin POSTs

    When: Request URL matches /wp-admin/* OR /wp-admin/admin-ajax.php
    And: Request body (POST) contains regex (?i)(<\s*script\b|javascript:|onerror\s*=|onload\s*=|document\.cookie|innerHTML\s*=)
    Then: Block request, log event, notify administrator

  • Rule 2: Block suspicious query strings containing encoded scripts

    When: Any request query string contains %3Cscript or javascript: (case-insensitive)
    Then: Challenge (CAPTCHA) or block depending on risk tolerance

  • Rule 3: Limit changes to plugin options

    When: POST to admin endpoint with parameter names known to belong to the translator plugin
    And: Request size > threshold or contains suspicious patterns
    Then: Require re-authentication or 2FA confirmation before applying changes

  • Rule 4: Response sanitization (optional / advanced)

    When: Response to admin page contains script tags in plugin output
    Then: Replace or remove <script> occurrences from response before returning to client (use with caution)

Response modification is powerful but potentially disruptive — test in staging.

Hardening best practices for administrators (prevention and mitigation)

  • Least privilege: Only give Administrator role to accounts that absolutely need it.
  • Dedicated admin accounts: Separate development and content accounts from administrative accounts.
  • Enforce strong passwords and 2FA for every admin and delegated user.
  • Limit plugin installations: Remove unused or unmaintained plugins.
  • Centralized updates: Maintain a patch/update procedure and apply security fixes within defined SLAs.
  • Monitoring: Implement file integrity monitoring and activity logs for admin actions.
  • Backups: Maintain recent backups and test restore procedures regularly. Keep at least one offline backup not writable from the application.

Post‑incident forensic checklist

  1. Preserve logs and backups
    • Export access logs, WAF logs, and server logs. Snapshot site and database for later review.
  2. Engage a security professional or incident response team
    • Triage the extent of compromise and assess data exfiltration risk.
  3. Reinstall core and plugins
    • Reinstall WordPress core, themes and plugins from trusted sources after verifying they are clean and up to date.
  4. Rotate secrets
    • Rotate API keys, OAuth tokens, and third‑party credentials stored on the site.
  5. Notify stakeholders
    • If user data or administrative control was impacted, follow incident response and legal reporting procedures.

Frequently asked questions

Q: Can an attacker exploit this remotely without any access?
A: No. This stored XSS variant requires an administrator's credentials to store the payload and an admin to interact with the crafted content. It is not an unauthenticated full‑site takeover vector by itself.
Q: Can a non‑admin user exploit this?
A: Not in the described context. The vulnerability involves admin‑side UI output and storage. However, privilege escalation or other chained vulnerabilities could change that assessment.
Q: Will a WAF stop this for good?
A: A WAF provides a critical layer of defence and can mitigate the attack vector quickly (virtual patching), but it is not a substitute for applying the official plugin update. Patch the plugin as the definitive fix.
Q: Should I remove the plugin?
A: If you do not need the translator plugin’s functionality, removing it permanently reduces attack surface. If you need it, update to the patched version immediately and apply the hardening steps above.

Final notes and immediate checklist

  • Update Prisna GWT – Google Website Translator to version 1.4.14 (or uninstall if not needed).
  • If you cannot update immediately — deactivate the plugin and apply temporary WAF rules to block suspicious admin input.
  • Audit the database for stored scripts and sanitize any admin‑stored fields.
  • Reset admin passwords and enable 2FA for all administrative accounts.
  • Monitor logs and look for signs of post‑exploitation (new admin accounts, file changes, outbound anomalies).
  • If needed, consult a qualified security professional for incident response and remediation.

Stay vigilant. From a Hong Kong security expert perspective: prompt patching, least‑privilege admin practices, and careful monitoring are the most practical controls to reduce risk from this vulnerability.

— Hong Kong Security Expert

0 Shares:
Compartir 0
Tweet 0
Fijarlo 0

— Artículo anterior

Community Alert CSRF in WP Logs Book(CVE20244475)

Siguiente artículo —

Community Alert Cross Site Scripting in ProfilePress(CVE202413121)

También te puede gustar