{"id":28586,"date":"2022-07-29T21:48:43","date_gmt":"2022-07-29T17:48:43","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167865\/wptransposh107-xss.txt"},"modified":"2022-07-30T09:59:10","modified_gmt":"2022-07-30T05:29:10","slug":"transposh-wordpress-translation-1-0-7-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/transposh-wordpress-translation-1-0-7-cross-site-scripting\/","title":{"rendered":"Transposh WordPress Translation 1.0.7 Cross Site Scripting"},"content":{"rendered":"<p dir=\"ltr\">RCE Security Advisory<br \/>\nhttps:\/\/www.rcesecurity.com<\/p>\n<p dir=\"ltr\">1. ADVISORY INFORMATION<br \/>\n=======================<br \/>\nProduct: Transposh WordPress Translation<br \/>\nVendor URL: https:\/\/wordpress.org\/plugins\/transposh-translation-filter-for-wordpress\/<br \/>\nType: Cross-Site Scripting [CWE-79]\nDate found: 2021-08-19<br \/>\nDate published: 2022-07-22<br \/>\nCVSSv3 Score: 4.7 (CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:N\/I:L\/A:N)<br \/>\nCVE: CVE-2021-24910<\/p>\n<p dir=\"ltr\">2. CREDITS<br \/>\n==========<br \/>\nThis vulnerability was discovered and researched by Julien Ahrens from<br \/>\nRCE Security.<\/p>\n<p dir=\"ltr\">3. VERSIONS AFFECTED<br \/>\n====================<br \/>\nTransposh WordPress Translation 1.0.7 and below<\/p>\n<p dir=\"ltr\">4. INTRODUCTION<br \/>\n===============<br \/>\nTransposh translation filter for WordPress offers a unique approach to blog<br \/>\ntranslation. It allows your blog to combine automatic translation with human<br \/>\ntranslation aided by your users with an easy to use in-context interface.<\/p>\n<p dir=\"ltr\">(from the vendor&#8217;s homepage)<\/p>\n<p dir=\"ltr\">5. VULNERABILITY DETAILS<br \/>\n========================<br \/>\nThe plugin&#8217;s ajax action &#8220;tp_tp&#8221; is vulnerable to an unauthenticated\/authenticated<br \/>\nreflected Cross-Site Scripting vulnerability when user-supplied input to the HTTP<br \/>\nGET parameter &#8220;q&#8221; is processed by the web application. Since the application does<br \/>\nnot properly validate and sanitize this parameter, it is possible to place<br \/>\narbitrary script code onto the same page.<\/p>\n<p dir=\"ltr\">This offers a wide range of possible attacks such as redirecting the user to a<br \/>\nmalicious page, spoofing content on the page or attacking the browser and its<br \/>\nplugins. Since all session-relevant cookies are protected by HTTPOnly, it is not<br \/>\npossible to hijack sessions.<\/p>\n<p dir=\"ltr\">6. PROOF OF CONCEPT<br \/>\n===================<br \/>\nThe following PoC triggers a JavaScript alert:<\/p>\n<p dir=\"ltr\">http:\/\/[host]\/wp-admin\/admin-ajax.php?action=tp_tp&#038;e=g&#038;m=s&#038;tl=en&#038;q=&lt;img%20src%3dx%20onerror%3dalert(document.cookie)&gt;<\/p>\n<p dir=\"ltr\">7. SOLUTION<br \/>\n===========<br \/>\nUpdate to Transposh 1.0.8.1<\/p>\n<p dir=\"ltr\">8. REPORT TIMELINE<br \/>\n==================<br \/>\n2021-08-19: Discovery of the vulnerability<br \/>\n2021-08-20: Contacted the vendor via their contact form<br \/>\n2021-08-20: Vendor response<br \/>\n2021-08-20: Sent all the PoC exploits<br \/>\n2021-08-20: Vendor acknowledges the issues<br \/>\n2021-09-14: Requested status update from vendor<br \/>\n2021-10-07: No response from vendor, requested status update again<br \/>\n2021-10-25: CVE requested from WPScan (CNA)<br \/>\n2021-10-27: WPScan assigns CVE-2021-24910<br \/>\n2022-02-22: Vendor releases 1.0.8 which fixes this vulnerability<br \/>\n2022-07-22: Public disclosure<\/p>\n<p dir=\"ltr\">9. REFERENCES<br \/>\n=============<br \/>\nhttps:\/\/github.com\/MrTuxracer\/advisories<br \/>\nhttps:\/\/transposh.org\/version-1-0-8-thanks-julien\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>RCE Security Advisory https:\/\/www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Transposh WordPress Translation Vendor URL: https:\/\/wordpress.org\/plugins\/transposh-translation-filter-for-wordpress\/ Type: Cross-Site Scripting [CWE-79] Date found: 2021-08-19 Date published: 2022-07-22 CVSSv3 Score: 4.7 (CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:N\/I:L\/A:N) CVE: CVE-2021-24910 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Transposh WordPress Translation 1.0.7 and &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-28586","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28586","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=28586"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28586\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=28586"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=28586"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=28586"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}