CVE-2022-3036 The Gettext plugin before 2.0.0 did not sanitize and escape some of its settings, which allowed high-privilege users to perform Stored Cross-Site Scripting attacks.

Prior to version 2.0.0, the unfiltered_html setting was not properly sanitised and escaped, which could lead to an information disclosure if a high privilege user (such as an administrator) were to edit the plugin settings.

In version 2.0.0 and later, the unfiltered_html setting is properly sanitised and escaped. You can upgrade to version 2.0.0 or later.

Update to version 2.0.1 or later

If you are using a version of this plugin prior to 2.0.1 on the WordPress.org Network, please update to version 2.0.1 or later.

Version 2.0.0 and later only

Update Sites

That Have Unfiltered_html Settings
The unfiltered_html setting has been changed to sanitise and escape properly in version 2.0.0 and later of the plugin. If your site was using this setting prior to this change, you should upgrade to version 2.0.0 or later. For more information on how to update your site:
- https://docs.wixstatic.com/ugd/b2085e_2f6c1e7fe9c0105d8a57f604ce75899a7.pdf

Version 3: Now with more security!

Version 3 of the plugin now uses a sanitised and escaped output for the unfiltered_html setting.

Timeline

Published on: 09/19/2022 14:15:00 UTC
Last modified on: 09/21/2022 15:01:00 UTC

References

• https://wpscan.com/vulnerability/0dbc85dd-736c-492e-9db8-acb7195771aa
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3036