CVE-2022-2461 is a security vulnerability identified in the Transposh WordPress Translation plugin, developed by oferwald, affecting all versions up to and including 1.0.8.1. The vulnerability is classified under CWE-862, which pertains to missing authorization. Specifically, the issue arises from insufficient permission checks on the 'tp_translation' AJAX action within the plugin. This flaw allows unauthenticated attackers—meaning no login or user privileges are required—to perform unauthorized changes to plugin settings. Because the plugin controls translation features and the data displayed on the site, attackers can manipulate the content shown to visitors by altering translation data or settings. The vulnerability does not impact confidentiality or availability directly but compromises integrity by enabling unauthorized modification of site content. The CVSS v3.1 base score is 5.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). No known exploits are reported in the wild, and no official patches are linked in the provided data. This vulnerability could be exploited remotely without authentication, making it a significant risk for sites using this plugin without mitigation or updates.

For European organizations using the Transposh WordPress Translation plugin, this vulnerability poses a risk to the integrity of their website content. Attackers can inject or alter translated content, potentially misleading users, damaging brand reputation, or distributing misinformation. This could be particularly harmful for e-commerce sites, government portals, or news outlets relying on accurate multilingual content. While the vulnerability does not directly expose sensitive data or cause service outages, the unauthorized content changes can undermine user trust and compliance with content accuracy regulations, especially under the EU's strict consumer protection and digital service laws. Additionally, manipulated content could be used as a vector for social engineering or phishing attacks targeting European users. Given the plugin’s role in localization, organizations with multilingual audiences are at higher risk of impact.

Organizations should immediately audit their WordPress installations to identify the presence of the Transposh plugin and its version. Since no official patch links are provided, mitigation should include disabling the plugin until an update or patch is available. Alternatively, restricting access to the AJAX endpoint 'tp_translation' via web application firewall (WAF) rules or server-level access controls can prevent unauthorized requests. Monitoring and logging AJAX requests to detect unusual activity targeting this endpoint is recommended. Organizations should also consider replacing Transposh with alternative translation plugins that follow strict authorization checks. Regularly updating WordPress and plugins, subscribing to vulnerability advisories, and conducting periodic security assessments of plugins are critical to prevent exploitation of similar vulnerabilities.