Refine your search

1 vulnerability found for Prisna GWT – Google Website Translator by prisna

CVE-2024-8514 (GCVE-0-2024-8514)
Vulnerability from cvelistv5
Published
2024-09-25 03:27
Modified
2026-04-08 16:48
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-502 - Deserialization of Untrusted Data
Summary
The Prisna GWT – Google Website Translator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.11 via deserialization of untrusted input from the 'prisna_import' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References
Impacted products
Vendor Product Version
prisna Prisna GWT – Google Website Translator Version: 0    1.4.11
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:prisna:prisna_gwt-google_website_translator:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "prisna_gwt-google_website_translator",
            "vendor": "prisna",
            "versions": [
              {
                "lessThanOrEqual": "1.4.11",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8514",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-25T14:02:59.712022Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-25T14:10:27.990Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Prisna GWT \u2013 Google Website Translator",
          "vendor": "prisna",
          "versions": [
            {
              "lessThanOrEqual": "1.4.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lesor101"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Prisna GWT \u2013 Google Website Translator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.11 via deserialization of untrusted input from the \u0027prisna_import\u0027 parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:48:43.716Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4183c3f7-7794-45f3-8fad-b87ffec3639c?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/google-website-translator/tags/1.4.11/classes/admin.class.php#L267"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3155285/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-09-24T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Prisna GWT - Google Website Translator \u003c= 1.4.11 - Authenticated (Admin+) PHP Object Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-8514",
    "datePublished": "2024-09-25T03:27:39.955Z",
    "dateReserved": "2024-09-06T14:01:41.443Z",
    "dateUpdated": "2026-04-08T16:48:43.716Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}