Greeklish-permalink < 3.5 – Unauthenticated Post Slug Update | CVE 2023-2495 | Plugin Vulnerabilities

Description

The plugin does not implement correct authorization or nonce checks in the cyrtrans_ajax_old AJAX action, allowing unauthenticated and low-privilege users to trigger the plugin's functionality to change Post slugs either directly or through CSRF.

Proof of Concept

1. Create a post with the name "Νέα ανάρτηση".

2. Visit the post and notice that the permalink uses the Greek characters.

3. In an unauthenticated browser session, run the following code: fetch('/wp-admin/admin-ajax.php?action=cyrtrans_ajax_old', {method: 'POST'})

4. Visit the post again, and notice that the permalink now uses Latin characters.

Affects Plugins

greeklish-permalink

Fixed in 3.5

References

CVE

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Höbenreich

Submitter

Jonas Höbenreich

Submitter website

https://www.jonh.eu/

Verified

Yes

WPVDB ID

45878983-7e9b-49c2-8f99-4c28aab24f09

Timeline

Publicly Published

2023-06-19 (about 1 years ago)

Added

2023-06-19 (about 1 years ago)

Last Updated

2023-08-15 (about 10 months ago)

Other

Published

Title

Published

2020-11-09

Title

Ultimate Member < 2.1.12 - Authenticated Privilege Escalation via Profile Update

Published

2023-05-02

Title

Easy Digital Downloads < 3.1.1.4.2 - Unauthenticated Privilege Escalation

Published

2023-03-06

Title

Multiple e-plugins - Subscriber+ Privilege Escalation

Published

2016-06-06

Title

Newspaper Theme 6.4–6.7.1 - Privilege Escalation

Published

2021-04-26

Title

Store Locator Plus < 5.9 - Authenticated Privilege Escalation