Security
Headlines
HeadlinesLatestCVEs

Headline

Transposh WordPress Translation 1.0.8.1 Remote Code Execution

Transposh WordPress Translation versions 1.0.8.1 and below have a “save_transposh” action available at “/wp-admin/admin.php?page=tp_advanced” that does not properly validate the “Log file name” allowing an attacker with the “Administrator” role to specify a .php file as the log destination. Since the log file is stored directly within the “/wp-admin” directory, executing arbitrary PHP code is possible by simply sending a crafted request that gets logged.

Packet Storm
#vulnerability#git#wordpress#php#rce#perl#acer

RCE Security Advisory
https://www.rcesecurity.com

  1. ADVISORY INFORMATION
    =======================
    Product: Transposh WordPress Translation
    Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/
    Type: Reliance on File Name or Extension of Externally-Supplied File [CWE-646]
    Date found: 2022-02-21
    Date published: 2022-07-22
    CVSSv3 Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
    CVE: CVE-2022-25812

  2. CREDITS
    ==========
    This vulnerability was discovered and researched by Julien Ahrens from
    RCE Security.

  3. VERSIONS AFFECTED
    ====================
    Transposh WordPress Translation 1.0.8.1 and below

  4. INTRODUCTION
    ===============
    Transposh translation filter for WordPress offers a unique approach to blog
    translation. It allows your blog to combine automatic translation with human
    translation aided by your users with an easy to use in-context interface.

(from the vendor’s homepage)

  1. VULNERABILITY DETAILS
    ========================
    The plugin’s “save_transposh” action available at “/wp-admin/admin.php?page=tp_advanced”
    does not properly validate the “Log file name” allowing an attacker with the
    “Administrator” role to specify a .php file as the log destination.

Since the log file is stored directly within the “/wp-admin” directory, executing
arbitrary PHP code is possible by simply sending a crafted request that gets
logged.

Successful exploits can allow the attacker to compromise the entire WordPress
installation. This is specifically relevant in multi-site installations.

  1. PROOF OF CONCEPT
    ===================
    1.Go to “/wp-admin/admin.php?page=tp_advanced” and “Enable debugging” by pointing
    it to a filename with a .php extension.
    2.Set the “Level of logging” to “Debug”
    3.Saving the settings
    4.Submit a payload like “<?php phpinfo();?>” to any of Transposh’s functionalities.
    5.Go to "/wp-admin/[your-filename.php]" to trigger the code injection

  2. SOLUTION
    ===========
    None. Remove the plugin to prevent exploitation.

  3. REPORT TIMELINE
    ==================
    2022-02-21: Discovery of the vulnerability
    2022-02-21: Contacted the vendor via email
    2022-02-21: Vendor response
    2022-02-22: CVE requested from WPScan (CNA)
    2022-02-23: WPScan assigns CVE-2022-25812
    2022-05-22: Sent request for status update on the fix
    2022-05-24: Vendor states that there is no update planned so far
    2022-07-22: Public disclosure

  4. REFERENCES
    =============
    https://github.com/MrTuxracer/advisories

Related news

CVE-2022-2461: WordPress Transposh: Exploiting a Blind SQL Injection via XSS

The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.

CVE-2022-25812

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not validate its debug settings, which could allow allowing high privilege users such as admin to perform RCE

Packet Storm: Latest News

Ubuntu Security Notice USN-7121-3