CVE-2022-3141

HIGH

Cozmoslabs Translatepress < 2.3.3 - SQL Injection

Title source: rule

Description

The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Elias Hohl · textwebappsphp

https://www.exploit-db.com/exploits/51043

View Code ZIP pw:eip

nomisec WRITEUP 1 stars

by Tomoe-12 · poc

https://github.com/Tomoe-12/CVE_2022_3141

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/171479/WordPress-Translatepress-Multilingual-SQL-Injection.html

[Various Sources] https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-translatepress-multilingual-wordpress-plugin-effc08eda514

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/1fa355d1-cca8-4b27-9d21-0b420a2e1bf3

Scores

CVSS v3 8.8

EPSS 0.0386

EPSS Percentile 88.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

cozmoslabs/translatepress < 2.3.3

Published Sep 19, 2022

Tracked Since Feb 18, 2026