CVE-2022-2536

Name of the Vulnerable Software and Affected Versions Transposh WordPress Translation plugin versions up to, and including, 1.0.8.1

Description The issue allows unauthorized setting changes by unauthenticated users due to insufficient validation of settings on the 'tp translation' AJAX action. This makes it possible for attackers to bypass restrictions and influence the data shown on the site. The problem is caused by a faulty validation in "wp/transposh db.php" when the "autotranslate" feature is enabled and the HTTP POST parameter sr0 is larger than 0.

Recommendations For versions up to, and including, 1.0.8.1, update to a version that fixes the insufficient validation issue. As a temporary workaround, consider disabling the 'autotranslate' feature until a patch is available. Restrict access to the 'tp translation' AJAX action to minimize the risk of exploitation. Avoid using the HTTP POST parameter sr0 in the affected AJAX action until the issue is resolved.