Wagtail Stored Cross-Site Scripting Vulnerability in Simple Translation Module

A stored cross-site scripting vulnerability has been identified in the Wagtail content management system, specifically within the simple_translation module. This issue affects Wagtail versions prior to 6.3.8, as well as 6.4, 7.0.5, 7.1, 7.2.2, and 7.3. Users with access to the Wagtail admin area can exploit this vulnerability by creating a page with a specially crafted title. When another user performs the 'Translate' action, the crafted title executes arbitrary JavaScript, potentially leading to actions being performed with that user's credentials. The vulnerability is not exploitable by regular site visitors without admin access.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the confirmation message.

Reproduction

To reproduce this vulnerability, log into the Wagtail admin area and create a page with a title that includes malicious JavaScript, such as an image tag with an event handler. Once the page is saved, another user can be directed to translate the page, triggering the execution of the embedded JavaScript in the confirmation message.

Remediation

Users can upgrade to Wagtail versions 6.3.8, 7.0.6, 7.2.3, or 7.3.1 to address this vulnerability.