Cyber Resilience

CVE-2022-3141

HighPublic PoC

Published: 19 September 2022

Published
19 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0386 88.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3141 is a high-severity SQL Injection (CWE-89) vulnerability in Cozmoslabs Translatepress. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Translate Multilingual sites WordPress plugin before version 2.3.3 is affected by an authenticated SQL injection vulnerability tracked as CVE-2022-3141. The flaw is triggered when an attacker adds a new language through the plugin settings page and supplies input containing specific special characters that bypass backticks in the generated SQL query, allowing injection of a time-based blind SQL payload. The issue is classified under CWE-89 and carries a CVSS v3.1 score of 8.8.

An authenticated user with language-management privileges can exploit the vulnerability over the network without user interaction to execute arbitrary SQL commands against the underlying database. This can result in full compromise of confidentiality, integrity, and availability of site data, including the potential for data exfiltration or unauthorized modification of WordPress content and user records.

Public references, including WPScan and Packet Storm disclosures, document the issue and provide proof-of-concept details, while the affected plugin is stated to be fixed in version 2.3.3. The associated EPSS score remains low, with a modest peak of 0.0566.

EU & UK References

Vulnerability details

The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based…

more

blind payload can be injected.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cozmoslabs
translatepress
≤ 2.3.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References