CVE-2022-2536 — Improper Authorization in Transposh Wordpress Translation

CWE-285 — Improper Authorization3 documents3 sources

Severity

7.5HIGHNVD

CNA5.3

EPSS

0.8%

top 26.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oferwald Transposh Wordpress Translation Transposh Wordpress Translation

Timeline

PublishedDec 15

Description

The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient validation of settings on the 'tp_translation' AJAX action which makes it possible for unauthenticated attackers to bypass any restrictions and influence the data shown on the site. Please note this is a separate issue from CVE-2022-2461. Notes from the researcher: When installed Transposh comes wit…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5oferwald/transposh_wordpress_translation1.0.9.6

▶NVDtransposh/transposh_wordpress_translation1.0.8.1

🔴Vulnerability Details

GHSA

GHSA-ggf6-w57c-2rj4: The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and↗2022-12-15

▶

CVEList

Transposh WordPress Translation <= 1.0.9.6 - Authorization Bypass↗2022-12-15

▶