WordPress Plugin Vulnerabilities

Transposh WordPress Translation <= 1.0.8 - Usernames Disclosure

Description

The plugin does not have any authorisation in its tp_history AJAX action, allowing unauthenticated users to call it and retrieve a list of usernames which translated text

Affects Plugins

Plugin icon
transposh-translation-filter-for-wordpress
No known fix

References

CVE
CVE-2022-2462

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Julien Ahrens
Verified
No
WPVDB ID
a8c7eb49-8f16-4ce0-afb6-ca10d59a24b3

Timeline

Publicly Published
2022-07-25 (about 3 years ago)
Added
2022-07-25 (about 3 years ago)
Last Updated
2022-08-25 (about 3 years ago)

Other

Published
Title
Published
2021-07-20
Title
WP SEO TDK <= 2.1.2 - Unauthenticated Setting Update to Stored XSS
Published
2025-01-15
Title
Widget Options < 4.0.9 - Missing Authorization to Notice Dismissal
Published
2023-02-21
Title
WP OAuth Server < 4.3.0 - Subscriber+ Arbitrary Client Deletion
Published
2025-12-31
Title
All in One Accessibility < 1.16 - Missing Authorization
Published
2025-08-10
Title
WebinarIgnition < 4.06.05 - Missing Authorization