CVE-2022-2462
published 2022-09-06CVE-2022-2462: The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disclosure to unauthenticated users in versions up to, and…
PriorityP337medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
2.94%
85.4th percentile
The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disclosure to unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient permissions checking on the 'tp_history' AJAX action and insufficient restriction on the data returned in the response. This makes it possible for unauthenticated users to exfiltrate usernames of individuals who have translated text.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oferwald | transposh_wordpress_translation | <= 1.0.9.6 | — |
| transposh | transposh_wordpress_translation | <= 1.0.8.1 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vr73-3j55-m4ww: The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disclosure to unauthenticated users in versions up to,
ghsa_unreviewed·2022-09-07
CVE-2022-2462 [MEDIUM] CWE-200 GHSA-vr73-3j55-m4ww: The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disclosure to unauthenticated users in versions up to,
The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disclosure to unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_history' AJAX action and insufficient restriction on the data returned in the response. This makes it possible for unauthenticated users to exfiltrate usernames of individuals who have translated text.
CISA
Adobe Reader and Acrobat Universal 3D Memory Corruption Vulnerability
cisa·2022-06-08·CVSS 9.8
CVE-2011-2462 [CRITICAL] CWE-787 Adobe Reader and Acrobat Universal 3D Memory Corruption Vulnerability
Vulnerability: Adobe Reader and Acrobat Universal 3D Memory Corruption Vulnerability
Affected: Adobe Reader and Acrobat
The Universal 3D (U3D) component in Adobe Reader and Acrobat contains a memory corruption vulnerability which could allow remote attackers to execute code or cause denial-of-service (DoS).
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2011-2462
Remediation Due Date: 2022-06-22
No detection rules found.
Nuclei
WordPress Transposh <=1.0.8.1 - Information Disclosure
nuclei·CVSS 5.3
CVE-2022-2462 [MEDIUM] WordPress Transposh <=1.0.8.1 - Information Disclosure
WordPress Transposh =1.0.8.2) to mitigate this vulnerability.
reference:
- https://packetstormsecurity.com/files/167878/wptransposh1081-disclose.txt
- https://github.com/oferwald/transposh
- https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2462
- https://nvd.nist.gov/vuln/detail/CVE-2022-2462
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2022-2462
cwe-id: CWE-200
epss-score: 0.05988
epss-percentile: 0.9069
cpe: cpe:2.3:a:transposh:transposh_wordpress_translation:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
vendor: transposh
product: transposh_wordpress_translation
framework: wordpress
tags: cve,cve2022,wordpress,disclos
https://github.com/oferwald/transposh/blob/master/transposh.php#L1550https://packetstormsecurity.com/files/167878/wptransposh1081-disclose.txthttps://plugins.trac.wordpress.org/browser/transposh-translation-filter-for-wordpress/trunk/transposh.php?rev=2682425#L1948https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/https://www.wordfence.com/threat-intel/vulnerabilities/id/bd1f12ac-86ac-4be9-9575-98381c3b4291?source=cvehttps://www.wordfence.com/vulnerability-advisories/#CVE-2022-2462https://packetstormsecurity.com/files/167878/wptransposh1081-disclose.txthttps://plugins.trac.wordpress.org/browser/transposh-translation-filter-for-wordpress/trunk/transposh.php?rev=2682425#L1948https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/https://www.wordfence.com/threat-intel/vulnerabilities/id/bd1f12ac-86ac-4be9-9575-98381c3b4291?source=cvehttps://www.wordfence.com/vulnerability-advisories/#CVE-2022-2462
2022-09-06
Published