1. ADVISORY INFORMATION
Product: Transposh WordPress Translation
Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/
Type: Incorrect Authorization [CWE-863]
Date found: 2022-07-13
Date published: 2022-07-22
CVSSv3 Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
This vulnerability was discovered and researched by Julien Ahrens from
3. VERSIONS AFFECTED
Transposh WordPress Translation 18.104.22.168 and below
Transposh translation filter for WordPress offers a unique approach to blog
translation. It allows your blog to combine automatic translation with human
translation aided by your users with an easy to use in-context interface.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
When installed Transposh comes with a set of pre-configured options, one of these
is the "Who can translate" setting under the "Settings" tab, which by default
allows "Anonymous" users to add translations via the plugin's "tp_translation"
Successful exploits can allow an unauthenticated attacker to add translations to
the WordPress site and thereby influence what is actually shown on the site.
6. PROOF OF CONCEPT
The following Proof-of-Concept adds a new translation
POST /wp-admin/admin-ajax.php HTTP/2
None. Remove the plugin to prevent exploitation.
8. REPORT TIMELINE
2022-07-13: Discovery of the vulnerability
2022-07-13: CVE requested from WPScan (CNA)
2022-07-18: No response from WPScan
2022-07-18: CVE requested from Wordfence (CNA) instead
2022-07-18: Sent note to vendor
2022-07-18: Wordfence assigns CVE-2022-2461
2022-07-20: Since there are currently no plans to provide fixes at all:
2022-07-22: Public disclosure