WordPress Plugin Vulnerabilities

Greeklish-permalink < 3.5 - Unauthenticated Post Slug Update

Description

The plugin does not implement correct authorization or nonce checks in the cyrtrans_ajax_old AJAX action, allowing unauthenticated and low-privilege users to trigger the plugin's functionality to change Post slugs either directly or through CSRF.

Proof of Concept

1. Create a post with the name "Νέα ανάρτηση".

2. Visit the post and notice that the permalink uses the Greek characters.

3. In an unauthenticated browser session, run the following code: fetch('/wp-admin/admin-ajax.php?action=cyrtrans_ajax_old', {method: 'POST'})

4. Visit the post again, and notice that the permalink now uses Latin characters.

Affects Plugins

Plugin icon
greeklish-permalink
Fixed in 3.5

References

CVE
CVE-2023-2495

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Jonas Höbenreich
Submitter
Jonas Höbenreich
Submitter website
https://www.jonh.eu/
Verified
Yes
WPVDB ID
45878983-7e9b-49c2-8f99-4c28aab24f09

Timeline

Publicly Published
2023-06-19 (about 5 months ago)
Added
2023-06-19 (about 5 months ago)
Last Updated
2023-08-15 (about 3 months ago)

Other

Published
Title
Published
2023-08-09
Title
WP Project Manager < 2.6.5 - Subscriber+ Privilege Escalation
Published
2017-11-27
Title
Elementor Page Builder <= 1.7.12 - Authenticated Unrestricted Editing
Published
2018-05-29
Title
Woocommerce Category Banner Management <= 1.1.0 - Unauthenticated Settings Change
Published
2020-03-11
Title
MStore API < 2.1.6 - Unauthenticated Arbitrary Account Creation/Edition
Published
2020-01-24
Title
wpCentral < 1.4.8 - Privilege Escalation