# Exploit Title: WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)  
# Date: 06-08-2021  
# Exploit Author: Nosa Shandy (Apapedulimu)  
# Vendor Homepage:  
# Software Link:   
# Reference:  
# Version: 2.0.6   
# Tested on: macOS 11.4  
# CVE : CVE-2021-24610  
The plugin does not implement a proper filter on the 'translated' parameter when input to the database. The 'trp_sanitize_string' function only check the "<script></script>" with the preg_replace, the attacker can use the HTML Tag to execute javascript.  
Step To Reproduce:  
1. Go to http://localhost:8888/wordpress/?trp-edit-translation=true  
2. Input Gettext String  
3. Input the payload such as <img src=x onerror=alert(4)>  
4. Save, The payload will be executed.  
5. Look on the homepage will be affected.  
Video :