CVE-2022-2462 PoC — WordPress plugin Transposh WordPress Translation 信息泄露漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-2462.yaml

Associated Vulnerability

Title:WordPress plugin Transposh WordPress Translation 信息泄露漏洞 (CVE-2022-2462)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Transposh WordPress Translation 1.0.8.1及以下版本存在信息泄露漏洞，该漏洞源于有一个名为“tp_history”的ajax操作，旨在返回有关谁翻译了“token”参数给出的文本的数据。但

Description

WordPress Transposh plugin through is susceptible to information disclosure via the AJAX action tp_history, which is intended to return data about who has translated a text given by the token parameter. However, the plugin also returns the user's login name as part of the user_login attribute.  If an anonymous user submits the translation, the user's IP address is returned. An attacker can leak the WordPress username of translators and potentially execute other unauthorized operations.

File Snapshot


 id: CVE-2022-2462

info:
  name: WordPress Transposh <=1.0.8.1 - Information Disclosure
  author: dw

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!