CVE-2022-25810 — Missing Authorization in Wordpress Translation

CWE-862 — Missing Authorization3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 54.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Transposh Wordpress Translation

Timeline

PublishedAug 22

Latest updateAug 23

Description

The Transposh WordPress Translation WordPress plugin through 1.0.8 exposes a couple of sensitive actions such has “tp_reset” under the Utilities tab (/wp-admin/admin.php?page=tp_utils), which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and backup/restore operations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDtransposh/transposh_wordpress_translation1.0.8

🔴Vulnerability Details

GHSA

GHSA-7j8w-jqvj-386m: The Transposh WordPress Translation WordPress plugin through 1↗2022-08-23

▶

CVEList

Transposh WordPress Translation <= 1.0.8 - Subscriber+ Unauthorised Calls↗2022-08-22

▶