CVE-2022-2462
MEDIUM NUCLEITransposh WordPress Translation <= 1.0.9.6 - Unauthenticated Sensitive Information Disclosure via tp_history AJAX Action
Title source: llmExploitation Summary
CVE-2022-2462 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disclosure to unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient permissions checking on the 'tp_history' AJAX action and insufficient restriction on the data returned in the response. This makes it possible for unauthenticated users to exfiltrate usernames of individuals who have translated text.
Nuclei Templates (1)
WordPress Transposh <=1.0.8.1 - Information Disclosure
MEDIUMby dwisiswant0
References (6)
Core 6
Core References
Exploit, Third Party Advisory, VDB Entry
https://packetstormsecurity.com/files/167878/wptransposh1081-disclose.txt
Patch, Third Party Advisory
https://plugins.trac.wordpress.org/browser/transposh-translation-filter-for-wordpress/trunk/transposh.php?rev=2682425#L1948
Exploit, Third Party Advisory
https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/
Exploit, Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2462
Scores
CVSS v3
5.3
EPSS
0.0294
EPSS Percentile
85.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
oferwald/Transposh WordPress Translation
< 1.0.9.6
transposh/transposh_wordpress_translation
< 1.0.8.1
Published
Sep 06, 2022
Tracked Since
Feb 18, 2026