CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.2.
AnalysisAI
Missing access control in ConveyThis WordPress plugin through version 269.2 allows authenticated users with low-level privileges to execute unauthorized actions with high confidentiality, integrity, and availability impact. The vulnerability stems from improper enforcement of authorization checks (CWE-862), enabling privilege escalation by exploiting misconfigured access control security levels. No public exploit identified at time of analysis, with EPSS score of 0.06% indicating low predicted exploitation probability.
Technical ContextAI
This vulnerability represents a broken access control flaw (CWE-862: Missing Authorization) in the ConveyThis translation plugin for WordPress. The plugin fails to properly verify user permissions before granting access to sensitive functionality or data. Access control vulnerabilities of this class occur when an application does not adequately enforce restrictions on what authenticated users are permitted to do, allowing lower-privileged users to perform actions reserved for administrators or higher-privilege roles. In WordPress plugins, this typically manifests through missing capability checks on AJAX handlers, REST API endpoints, or administrative functions. The ConveyThis plugin provides website translation services, and improper authorization could expose translation management, configuration settings, or API key handling to unauthorized modification by any authenticated user regardless of their intended role.
Affected ProductsAI
The vulnerability affects ConveyThis plugin for WordPress from unknown initial version through version 269.2. ConveyThis is a multilingual website translation solution that integrates with WordPress to provide automated translation services. According to Patchstack's vulnerability database, the issue persists through version 269.2, though the earliest affected version is not specified in available data. Organizations running ConveyThis plugin at version 269.2 or earlier should consider themselves affected. The vendor advisory and technical details are available at the Patchstack database reference provided by the reporting researcher from [email protected].
RemediationAI
Upgrade ConveyThis plugin to version 269.3 or later if available, as version 269.2 is confirmed vulnerable. Site administrators should immediately review the ConveyThis plugin version in their WordPress installation (Plugins > Installed Plugins) and apply available updates through the WordPress admin dashboard or manually from the WordPress plugin repository. Until patching is complete, consider temporarily restricting user registration or demoting untrusted user accounts to minimize the pool of potentially malicious authenticated users. Review WordPress user roles and ensure principle of least privilege is enforced, removing unnecessary user accounts with authentication capabilities. Consult the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/conveythis-translate/vulnerability/wordpress-conveythis-plugin-268-10-broken-access-control-vulnerability for vendor-specific remediation guidance and confirmation of fixed versions. As this is an authorization bypass vulnerability, web application firewall rules are unlikely to provide effective mitigation without patching the underlying code flaw.
Share
External POC / Exploit Code
Leaving vuln.today