Vulners
Lucene search
Transposh WordPress Translation 1.0.8.1 Remote Code Execution Vulnerability
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Exploit for Cross-site Scripting in Astaro Security_Gateway_Software | 30 Apr 201915:15 | – | githubexploit |
 | CVE-2022-25812 | 22 Aug 202215:15 | – | attackerkb |
 | CVE-2022-25812 | 22 Aug 202218:26 | – | circl |
 | WordPress plugin Transposh WordPress Translation 代码注入漏洞 | 29 Jul 202200:00 | – | cnnvd |
 | CVE-2022-25812 | 22 Aug 202214:59 | – | cve |
 | CVE-2022-25812 Transposh WordPress Translation < 1.0.8 - Admin+ RCE | 22 Aug 202214:59 | – | cvelist |
 | EUVD-2022-30452 | 3 Oct 202520:07 | – | euvd |
 | CVE-2022-25812 | 22 Aug 202215:15 | – | nvd |
 | CVE-2022-25812 | 22 Aug 202215:15 | – | osv |
 | Transposh WordPress Translation 1.0.8.1 Remote Code Execution | 29 Jul 202200:00 | – | packetstorm |
10
1. ADVISORY INFORMATION
=======================
Product: Transposh WordPress Translation
Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/
Type: Reliance on File Name or Extension of Externally-Supplied File [CWE-646]
Date found: 2022-02-21
Date published: 2022-07-22
CVSSv3 Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVE: CVE-2022-25812
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
Transposh WordPress Translation 1.0.8.1 and below
4. INTRODUCTION
===============
Transposh translation filter for WordPress offers a unique approach to blog
translation. It allows your blog to combine automatic translation with human
translation aided by your users with an easy to use in-context interface.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The plugin's "save_transposh" action available at "/wp-admin/admin.php?page=tp_advanced"
does not properly validate the "Log file name" allowing an attacker with the
"Administrator" role to specify a .php file as the log destination.
Since the log file is stored directly within the "/wp-admin" directory, executing
arbitrary PHP code is possible by simply sending a crafted request that gets
logged.
Successful exploits can allow the attacker to compromise the entire WordPress
installation. This is specifically relevant in multi-site installations.
6. PROOF OF CONCEPT
===================
1.Go to "/wp-admin/admin.php?page=tp_advanced" and "Enable debugging" by pointing
it to a filename with a .php extension.
2.Set the "Level of logging" to "Debug"
3.Saving the settings
4.Submit a payload like "<?php phpinfo();?>" to any of Transposh's functionalities.
5.Go to "/wp-admin/[your-filename.php]" to trigger the code injection
7. SOLUTION
===========
None. Remove the plugin to prevent exploitation.
8. REPORT TIMELINE
==================
2022-02-21: Discovery of the vulnerability
2022-02-21: Contacted the vendor via email
2022-02-21: Vendor response
2022-02-22: CVE requested from WPScan (CNA)
2022-02-23: WPScan assigns CVE-2022-25812
2022-05-22: Sent request for status update on the fix
2022-05-24: Vendor states that there is no update planned so far
2022-07-22: Public disclosure
9. REFERENCES
=============
https://github.com/MrTuxracer/advisories
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Jul 2022 00:00Current
0.2Low risk
Vulners AI Score0.2
CVSS 3.17.2
EPSS0.01441