WordPress Plugin Vulnerabilities

DeepL Pro API Translation < 1.7.5 - API Key Disclosure

Description

The plugin discloses sensitive information (including the DeepL API key) in files that are publicly accessible to an external, unauthenticated visitor.

Proof of Concept

https://example.com/wp-content/uploads/wpdeepl/2022-07-operation.log
https://example.com/wp-content/uploads/wpdeepl/2022-07-apiRequests.log
https://example.com/wp-content/uploads/wpdeepl/-request

Affects Plugins

Plugin icon
wpdeepl
Fixed in 1.7.5

References

CVE
CVE-2022-3691

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
raadfhaddad
Verified
Yes
WPVDB ID
4248a0af-1b7e-4e29-8129-3f40c1d0c560

Timeline

Publicly Published
2022-10-31 (about 1 years ago)
Added
2022-10-31 (about 1 years ago)
Last Updated
2022-12-21 (about 1 years ago)

Other

Published
Title
Published
2022-04-18
Title
VikBooking Hotel Booking Engine & PMS < 1.5.4 - Booking Data Disclosure
Published
2023-09-11
Title
WooCommerce < 8.1.1 - Shop Manager+ User Metadata Disclosure
Published
2020-01-03
Title
BuddyPress 5.0.0-5.1.1 - Private Data Exposure via REST API
Published
2021-12-13
Title
The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure
Published
2024-01-31
Title
Relevanssi Pro < 2.25 - Unauthenticated Sensitive Information Exposure