CVE-2022-3141
Published: 19 September 2022
Summary
CVE-2022-3141 is a high-severity SQL Injection (CWE-89) vulnerability in Cozmoslabs Translatepress. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Translate Multilingual sites WordPress plugin before version 2.3.3 is affected by an authenticated SQL injection vulnerability tracked as CVE-2022-3141. The flaw is triggered when an attacker adds a new language through the plugin settings page and supplies input containing specific special characters that bypass backticks in the generated SQL query, allowing injection of a time-based blind SQL payload. The issue is classified under CWE-89 and carries a CVSS v3.1 score of 8.8.
An authenticated user with language-management privileges can exploit the vulnerability over the network without user interaction to execute arbitrary SQL commands against the underlying database. This can result in full compromise of confidentiality, integrity, and availability of site data, including the potential for data exfiltration or unauthorized modification of WordPress content and user records.
Public references, including WPScan and Packet Storm disclosures, document the issue and provide proof-of-concept details, while the affected plugin is stated to be fixed in version 2.3.3. The associated EPSS score remains low, with a modest peak of 0.0566.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-42568
Vulnerability details
The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based…
more
blind payload can be injected.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.