Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-2461 — Missing Authorization in Transposh Wordpress Translation

CWE-862 — Missing Authorization CWE-285 — Improper Authorization5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

17.8%

top 4.85%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Oferwald Transposh Wordpress Translation Transposh Wordpress Translation

Timeline

PublishedSep 6

Latest updateSep 7

Description

The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5oferwald/transposh_wordpress_translation1.0.9.6

▶NVDtransposh/transposh_wordpress_translation1.0.8.1

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-3xc8-4p8r-q7hj: The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and↗2022-09-07

▶

CVEList

Transposh WordPress Translation <= 1.0.9.6 - Unauthorized Settings Change↗2022-09-06

▶

VulnCheck

transposh transposh_wordpress_translation Missing Authorization↗2022

▶

💥Exploits & PoCs

Nuclei

Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change

▶