Transposh WordPress Translation <= 1.0.8 – Subscriber+ Unauthorised Calls | CVE 2022-25810

Description

The plugin exposes a couple of sensitive actions such has “tp_reset” under the Utilities tab (/wp-admin/admin.php?page=tp_utils), which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and backup/restore operations.

Proof of Concept

As a subscriber:
https://example.com/wp-admin/admin-ajax.php?action=tp_reset
https://example.com/wp-admin/admin-ajax.php?action=tp_cleanup&days=0

Affects Plugins

transposh-translation-filter-for-wordpress

No known fix

References

CVE

CVE-2022-25810

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

4.3 (medium)

Miscellaneous

Original Researcher

Julien Ahrens

Verified

Yes

WPVDB ID

9a934a84-f0c7-42ed-b980-bb168b2c5892

Timeline

Publicly Published

2022-07-26 (about 1 years ago)

Added

2022-07-26 (about 1 years ago)

Last Updated

2022-08-25 (about 1 years ago)

Other

Published

Title

Published

2024-04-25

Title

WPPizza < 3.18.11 - Missing Authorization

Published

2023-09-12

Title

WP User Control <= 1.5.3 - Unauthenticated password reset

Published

2024-04-25

Title

EPROLO Dropshipping < 1.7.2 - Missing Authorization

Published

2024-02-26

Title

Categorify < 1.0.7.5 - Missing Authorization in categorifyAjaxAddCategory

Published

2023-09-05

Title

Analytify Dashboard < 5.1.1 - Missing Authorization to Opt-In