vulnerability
WordPress Plugin: transposh-translation-filter-for-wordpress: CVE-2022-25812: Unrestricted Upload of File with Dangerous Type
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:M/C:C/I:C/A:C) | Jul 22, 2022 | Jul 22, 2025 | Apr 30, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:M/C:C/I:C/A:C)
Published
Jul 22, 2022
Added
Jul 22, 2025
Modified
Apr 30, 2026
Description
The Transposh WordPress Translation plugin for WordPress is vulnerable to remote code execution in versions up to, and including, 1.0.9.1. This is due to insufficient extension validation on the log file that can be created via the plugin. This makes it possible for authenticated attackers with administrative level permissions and above to set the log file extension to .php and then update a setting to log PHP executable code to that file which can be used to achieve remote code execution.
Solution
transposh-translation-filter-for-wordpress-plugin-cve-2022-25812
References
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.