cbcvebase.
CVE-2022-3141
published 2022-09-19

CVE-2022-3141: The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.85%
88.8th percentile
The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected.

Affected

1 ranges
VendorProductVersion rangeFixed in
cozmoslabstranslatepress< 2.3.32.3.3

Detection & IOCsextracted from sources · hover to see the quote

commandtrp_settings[translation-languages][]=en_GB WHERE 4372=4372 AND (SELECT 6967 FROM (SELECT(SLEEP(5)))ZDtR)-- bsZU
url/wp-admin/options-general.php?page=translate-press&settings-updated=true
path/wp-admin/options-general.php
  • Monitor POST requests to /wp-admin/options-general.php with option_page=trp_settings containing SQL keywords (SLEEP, SELECT, WHERE) in the trp_settings[translation-languages][] parameter, which is the injection point for this time-based blind SQLi.
  • Detect the presence of SLEEP() calls within the trp_settings[translation-languages][] POST parameter as a strong indicator of active exploitation of this time-based blind SQL injection.
  • Alert on POST requests to the WordPress settings update action (action=update, option_page=trp_settings) where any trp_settings parameter value contains SQL comment sequences (e.g., --) or subquery patterns (SELECT...FROM), indicating attempted SQL injection via the language settings form.
  • ·Exploitation requires authentication; the attacker must have sufficient privileges to access the TranslatePress settings page (wp-admin) and submit language configuration changes.
  • ·The SQL injection is injected via the language name/slug field in the plugin settings; WAF rules should inspect POST body parameters for trp_settings keys, not just URL query strings.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.