Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-2462 — Sensitive Information Exposure in Transposh Wordpress Translation

CWE-200 — Sensitive Information Exposure CWE-787 — Out-of-bounds Write5 documents5 sources

Severity

5.3MEDIUMNVD

CISA9.8

EPSS

6.0%

top 9.30%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Oferwald Transposh Wordpress Translation Transposh Wordpress Translation

Timeline

PublishedSep 6

Latest updateSep 7

Description

The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disclosure to unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient permissions checking on the 'tp_history' AJAX action and insufficient restriction on the data returned in the response. This makes it possible for unauthenticated users to exfiltrate usernames of individuals who have translated text.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5oferwald/transposh_wordpress_translation1.0.9.6

▶NVDtransposh/transposh_wordpress_translation1.0.8.1

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-vr73-3j55-m4ww: The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disclosure to unauthenticated users in versions up to,↗2022-09-07

▶

CVEList

Transposh WordPress Translation <= 1.0.9.6 - Sensitive Information Disclosure↗2022-09-06

▶

💥Exploits & PoCs

Nuclei

WordPress Transposh <=1.0.8.1 - Information Disclosure

▶

📋Vendor Advisories

CISA

Adobe Reader and Acrobat Universal 3D Memory Corruption Vulnerability↗2022-06-08

▶