Headline
Transposh WordPress Translation 1.0.8.1 Remote Code Execution
Transposh WordPress Translation versions 1.0.8.1 and below have a “save_transposh” action available at “/wp-admin/admin.php?page=tp_advanced” that does not properly validate the “Log file name” allowing an attacker with the “Administrator” role to specify a .php file as the log destination. Since the log file is stored directly within the “/wp-admin” directory, executing arbitrary PHP code is possible by simply sending a crafted request that gets logged.
RCE Security Advisory
https://www.rcesecurity.com
ADVISORY INFORMATION
=======================
Product: Transposh WordPress Translation
Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/
Type: Reliance on File Name or Extension of Externally-Supplied File [CWE-646]
Date found: 2022-02-21
Date published: 2022-07-22
CVSSv3 Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVE: CVE-2022-25812CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.VERSIONS AFFECTED
====================
Transposh WordPress Translation 1.0.8.1 and belowINTRODUCTION
===============
Transposh translation filter for WordPress offers a unique approach to blog
translation. It allows your blog to combine automatic translation with human
translation aided by your users with an easy to use in-context interface.
(from the vendor’s homepage)
- VULNERABILITY DETAILS
========================
The plugin’s “save_transposh” action available at “/wp-admin/admin.php?page=tp_advanced”
does not properly validate the “Log file name” allowing an attacker with the
“Administrator” role to specify a .php file as the log destination.
Since the log file is stored directly within the “/wp-admin” directory, executing
arbitrary PHP code is possible by simply sending a crafted request that gets
logged.
Successful exploits can allow the attacker to compromise the entire WordPress
installation. This is specifically relevant in multi-site installations.
PROOF OF CONCEPT
===================
1.Go to “/wp-admin/admin.php?page=tp_advanced” and “Enable debugging” by pointing
it to a filename with a .php extension.
2.Set the “Level of logging” to “Debug”
3.Saving the settings
4.Submit a payload like “<?php phpinfo();?>” to any of Transposh’s functionalities.
5.Go to "/wp-admin/[your-filename.php]" to trigger the code injectionSOLUTION
===========
None. Remove the plugin to prevent exploitation.REPORT TIMELINE
==================
2022-02-21: Discovery of the vulnerability
2022-02-21: Contacted the vendor via email
2022-02-21: Vendor response
2022-02-22: CVE requested from WPScan (CNA)
2022-02-23: WPScan assigns CVE-2022-25812
2022-05-22: Sent request for status update on the fix
2022-05-24: Vendor states that there is no update planned so far
2022-07-22: Public disclosureREFERENCES
=============
https://github.com/MrTuxracer/advisories
Related news
The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not validate its debug settings, which could allow allowing high privilege users such as admin to perform RCE