SB2022090638 - Multiple vulnerabilities in Transposh WordPress Translation plugin for WordPress
Published: September 6, 2022 Updated: November 29, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2022-2462)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insufficient permissions checks in the "tp_history" AJAX action. A remote attacker can gain unauthorized access to sensitive information on the system.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-2461)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient permissions checking on the "tp_translation" AJAX action and default settings. A remote attacker can influence the data shown on the site.
3) Improper Authorization (CVE-ID: CVE-2022-2536)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to improper authorization. A remote attacker can bypass authorization process and gain unauthorized access to the application.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2462
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2461
- https://patchstack.com/database/vulnerability/transposh-translation-filter-for-wordpress/wordpress-transposh-wordpress-translation-plugin-1-0-8-1-authorization-bypass-vulnerability