CVE-2022-25810

2022-08-2215:15:14

CWE-862

[email protected]

web.nvd.nist.gov

cve-2022-25810

transposh wordpress translation

wordpress plugin

sensitive actions

vulnerability

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

24.8%

JSON

The Transposh WordPress Translation WordPress plugin through 1.0.8 exposes a couple of sensitive actions such has “tp_reset” under the Utilities tab (/wp-admin/admin.php?page=tp_utils), which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and backup/restore operations.

Affected configurations

Vulners

NVD

Node

wordpresswordpressRange≤1.0.8

VendorProductVersionCPE
wordpresswordpress*cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wordpress	wordpress	*	cpe:2.3:a:wordpress:wordpress::::::::

CNA Affected

[
  {
    "product": "Transposh WordPress Translation",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "1.0.8",
        "status": "affected",
        "version": "1.0.8",
        "versionType": "custom"
      }
    ]
  }
]