CVE-2022-4290

Name of the Vulnerable Software and Affected Versions Cyr to Lat plugin for WordPress versions up to, and including, 3.5 Cyr to Lat plugin for WordPress version 3.6

Description The Cyr to Lat plugin for WordPress is vulnerable to authenticated SQL Injection via the ctl sanitize title function due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This potentially allows authenticated users with the ability to add or modify terms or tags to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Recommendations For versions up to, and including, 3.5, update to version 3.7 to fully patch the issue. For version 3.6, update to version 3.7 to fully patch the issue, as only a partial patch is available in version 3.6. As a temporary workaround, consider restricting access to the ctl sanitize title function until a patch is available.