Description
Cross-Site Request Forgery (CSRF) vulnerability in kornelly Translator translator allows Stored XSS.This issue affects Translator: from n/a through <= 0.3.
Published: 2025-03-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Translator plugin allows a Cross‑Site Request Forgery that can write attacker supplied script into the plugin’s stored data, resulting in Stored Cross‑Site Scripting. When a victim visits the affected WordPress site, the malicious script executes in the victim’s browser, potentially leaking credentials, defacing the site, or enabling further attacks. The flaw is a classic CSRF weakness (CWE‑352) permitting unauthenticated or low‑privilege users to trick privileged users into performing the action.

Affected Systems

All WordPress installations running the Translator plugin from any unknown initial release up to and including version 0.3, released by the vendor kornelly.

Risk and Exploitability

The impact rating of 7.1 on the CVSS scale shows high severity, while the EPSS score of less than 1% indicates that, at this time, the probability of exploitation is low. The vulnerability is not present in the CISA KEV list. Attackers would need to formulate a crafted request—such as a link or form submission—to a user with administrative privileges; hence exploitation requires user interaction but is feasible for social engineering or malicious sites.

Generated by OpenCVE AI on May 1, 2026 at 04:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Translator plugin to the latest version that removes the CSRF vulnerability (any release newer than 0.3).
  • If no newer version is available, deactivate or uninstall the Translator plugin from the WordPress installation to eliminate the attack surface.
  • Configure WordPress to enforce strict CSRF token validation on all administrative actions and limit the exposure of the plugin’s settings to a minimal set of trusted users.

Generated by OpenCVE AI on May 1, 2026 at 04:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7915 Cross-Site Request Forgery (CSRF) vulnerability in kornelly Translator allows Stored XSS. This issue affects Translator: from n/a through 0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in kornelly Translator allows Stored XSS. This issue affects Translator: from n/a through 0.3. Cross-Site Request Forgery (CSRF) vulnerability in kornelly Translator translator allows Stored XSS.This issue affects Translator: from n/a through <= 0.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in kornelly Translator allows Stored XSS. This issue affects Translator: from n/a through 0.3.
Title WordPress Translator plugin <= 0.3 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:55.862Z

Reserved: 2025-03-24T13:00:55.838Z

Link: CVE-2025-30621

cve-icon Vulnrichment

Updated: 2025-03-24T21:21:15.640Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:34.660

Modified: 2026-04-23T15:26:59.283

Link: CVE-2025-30621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:30:08Z

Weaknesses