CVE-2022-3141

HIGH

TranslatePress < 2.3.3 - Authenticated SQL Injection via Language Addition

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-3141. PoCs published by Elias Hohl, Tomoe-12.

AI-analyzed exploit summary This exploit demonstrates an authenticated SQL injection vulnerability in the Translatepress Multilingual WordPress plugin. It uses sqlmap to perform a time-based blind SQL injection attack on the 'trp_settings[translation-languages][]' parameter.

Description

The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Elias Hohl · textwebappsphp

https://www.exploit-db.com/exploits/51043

View Code ZIP pw:eip

This exploit demonstrates an authenticated SQL injection vulnerability in the Translatepress Multilingual WordPress plugin. It uses sqlmap to perform a time-based blind SQL injection attack on the 'trp_settings[translation-languages][]' parameter.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Translatepress Multilingual WordPress plugin < 2.3.3

Auth required

Prerequisites: WordPress instance with Translatepress Multilingual plugin installed · Authenticated user access · Burp Suite for request interception

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 1 stars

by Tomoe-12 · poc

https://github.com/Tomoe-12/CVE_2022_3141

View Code ZIP pw:eip

This repository provides a detailed analysis and report for CVE-2022-3141, an SQL injection vulnerability in the TranslatePress WordPress plugin. It includes vulnerability details, exploit steps, and mitigation strategies.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: TranslatePress WordPress plugin (versions < 2.3.3)

Auth required

Prerequisites: Authenticated user account with low privileges · WordPress instance with vulnerable TranslatePress plugin

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171479/WordPress-Translatepress-Multilingual-SQL-Injection.html

Exploit, Third Party Advisory

https://wpscan.com/vulnerability/1fa355d1-cca8-4b27-9d21-0b420a2e1bf3

Various Sources

https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-translatepress-multilingual-wordpress-plugin-effc08eda514

Scores

CVSS v3 8.8

EPSS 0.0381

EPSS Percentile 88.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

cozmoslabs/translatepress < 2.3.3

Published Sep 19, 2022

Tracked Since Feb 18, 2026