CVE-2022-3141
Severity CVSS v4.0:
Pending analysis
Type:
CWE-89
SQL Injection
Publication date:
19/09/2022
Last modified:
07/11/2023
Description
The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:cozmoslabs:translatepress:*:*:*:*:*:wordpress:*:* | 2.3.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/171479/WordPress-Translatepress-Multilingual-SQL-Injection.html
- https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-translatepress-multilingual-wordpress-plugin-effc08eda514
- https://wpscan.com/vulnerability/1fa355d1-cca8-4b27-9d21-0b420a2e1bf3