CVE-2022-2461

MEDIUM EXPLOITED NUCLEI

Transposh Wordpress Translation < 1.0.8.1 - Missing Authorization

Title source: rule

Description

The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.

Nuclei Templates (1)

Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change

MEDIUMVERIFIEDby riteshs4hu

FOFA: body="/wp-content/plugins/transposh-translation-filter-for-wordpress/"

References (6)

[Exploit, Third Party Advisory, VDB Entry] https://packetstormsecurity.com/files/167870/wptransposh107-auth.txt

[Patch, Third Party Advisory] https://plugins.trac.wordpress.org/browser/transposh-translation-filter-for-wordpress/trunk/transposh.php?rev=2682425#L1989

[Exploit, Third Party Advisory] https://www.exploitalert.com/view-details.html?id=38891

[Exploit, Third Party Advisory] https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/223373fc-9d78-47f0-b283-109f8e00b802?source=cve

[Third Party Advisory] https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2461

Scores

CVSS v3 5.3

EPSS 0.1785

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2022-07-25

CWE

CWE-862

Status published

Products (2)

oferwald/Transposh WordPress Translation < 1.0.9.6

transposh/transposh_wordpress_translation < 1.0.8.1

Published Sep 06, 2022

Tracked Since Feb 18, 2026