CVE-2022-2461
published 2022-09-06CVE-2022-2461: The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and…
PriorityP278medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.51%
87.7th percentile
The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oferwald | transposh_wordpress_translation | <= 1.0.9.6 | — |
| transposh | transposh_wordpress_translation | <= 1.0.8.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php
path/wp-content/plugins/transposh-translation-filter-for-wordpress/
commandaction=tp_translation&ln0=en&sr0=oast.me&items=1&tk0=oast.me&tr0=oast.me
otherTransposh: v-[0-9.]+
- →Exploit POST requests target /wp-admin/admin-ajax.php with action=tp_translation and sr0 parameter set to a non-zero/attacker-controlled value; monitor for unauthenticated POST requests matching this pattern.
- →Successful exploitation returns HTTP 200 with body containing '200 - backup in sync' and Content-Type text/html; use this as a confirmation matcher.
- →The Transposh plugin version can be fingerprinted from HTTP response headers via the 'Transposh: v-<version>' header pattern.
- →Presence of the plugin path /wp-content/plugins/transposh-translation-filter-for-wordpress/ in page body indicates a potentially vulnerable installation; use as a passive discovery signal.
- →The vulnerability is triggered when the HTTP POST parameter 'sr0' is larger than 0, bypassing the 'Who can translate' permission check due to faulty validation in wp/transposh_db.php. ↗
- ·The autotranslate feature is enabled by default in Transposh, which is a prerequisite for the bypass condition (sr0 > 0) to work; sites with autotranslate disabled may not be exploitable via this exact path. ↗
- ·CVE-2022-2461 affects versions up to and including 1.0.8.1; CVE-2022-2536 is a separate but related issue affecting up to 1.0.9.6 — ensure detection rules account for both version ranges. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ggf6-w57c-2rj4: The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and
ghsa_unreviewed·2022-12-15·CVSS 5.3
CVE-2022-2536 [MEDIUM] CWE-285 GHSA-ggf6-w57c-2rj4: The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and
The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient validation of settings on the 'tp_translation' AJAX action which makes it possible for unauthenticated attackers to bypass any restrictions and influence the data shown on the site. Please note this is a separate issue from CVE-2022-2461. Notes from the researcher: When installed Transposh comes with a set of pre-configured options, one of these is the "Who can translate" setting under the "Settings" tab. However, this option is largely ignored, if Transposh has enabled its "autotranslate" feature (it's enabled by default) and the HTTP POST parameter "sr0" is larger than 0. This is caused by a
GHSA
GHSA-3xc8-4p8r-q7hj: The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and
ghsa_unreviewed·2022-09-07
CVE-2022-2461 [MEDIUM] CWE-285 GHSA-3xc8-4p8r-q7hj: The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and
The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.
VulnCheck
transposh transposh_wordpress_translation Missing Authorization
vulncheck·2022·CVSS 5.3
CVE-2022-2461 [MEDIUM] transposh transposh_wordpress_translation Missing Authorization
transposh transposh_wordpress_translation Missing Authorization
The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.
Affected: transposh transposh_wordpress_translation
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/transposh-translation-filter-for-wordpress/wordpress-transposh-wordpress-translat
No detection rules found.
Nuclei
Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change
nuclei·CVSS 5.3
CVE-2022-2461 [MEDIUM] Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change
Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change
The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.
Template:
id: CVE-2022-2461
info:
name: Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change
author: riteshs4hu
severity: medium
description: |
The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due
No writeups or analysis indexed.
https://packetstormsecurity.com/files/167870/wptransposh107-auth.txthttps://plugins.trac.wordpress.org/browser/transposh-translation-filter-for-wordpress/trunk/transposh.php?rev=2682425#L1989https://www.exploitalert.com/view-details.html?id=38891https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/https://www.wordfence.com/threat-intel/vulnerabilities/id/223373fc-9d78-47f0-b283-109f8e00b802?source=cvehttps://www.wordfence.com/vulnerability-advisories/#CVE-2022-2461https://packetstormsecurity.com/files/167870/wptransposh107-auth.txthttps://plugins.trac.wordpress.org/browser/transposh-translation-filter-for-wordpress/trunk/transposh.php?rev=2682425#L1989https://www.exploitalert.com/view-details.html?id=38891https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/https://www.wordfence.com/threat-intel/vulnerabilities/id/223373fc-9d78-47f0-b283-109f8e00b802?source=cvehttps://www.wordfence.com/vulnerability-advisories/#CVE-2022-2461
2022-09-06
Published
Exploited in the wild