Havonta szeretnénk veletek megosztani azokat a plugineket, amelyek biztonsági rést tartalmaznak, ezért azokat minél előbb frissíteni kell. Hangsúlyoznánk, hogy a friss WordPress telepítés, frissített sablonnal és pluginnekkel, valamint a megfelelő biztonsági szabályok betartása mellett lehet stabil és jól működő és a támadások ellen védett. Ha szükséged lenne szakszerű segítségre vedd fel velünk a kapcsolatot és kérj ajánlatot havi, féléves vagy éves frissítési szolgáltatásunkra.
WordPress Plugin Vulnerabilities / WordPress Bővítmények biztonsági kockázatai
- Woocommerce Customers Manager < 26.6 – Authenticated Reflected Cross-Site Scripting (XSS)
- Woocommerce Customers Manager < 26.6 – Arbitrary Account Creation/Update via CSRF
- Ivory Search < 4.6.1 – Reflected Cross Site Scripting (XSS)
- Cooked Pro < 1.7.5.6 – Unauthenticated Reflected Cross Site Scripting (XSS)
- Advanced Booking Calendar < 1.6.8 – Authenticated Reflected Cross-Site Scripting (XSS)
- Controlled Admin Access < 1.5.6 – Improper Access Control to Privilege Escalation
- Advanced Booking Calendar < 1.6.7 – Authenticated Reflected Cross-Site Scripting (XSS)
- Easy Form Builder <= 1.0 – Unauthorised AJAX calls
- AccessAlly < 3.5.7 – $_SERVER Superglobal Leakage
- Patreon WordPress < 1.7.2 – Reflected XSS on patreon_save_attachment_
patreon_level AJAX action - Patreon WordPress < 1.7.2 – Reflected XSS on Login Form
- Patreon WordPress < 1.7.0 – CSRF to Disconnect Sites From Patreon
- Patreon WordPress < 1.7.0 – CSRF to Overwrite/Create User Meta
- Patreon WordPress < 1.7.0 – Unauthenticated Local File Disclosure
- Easy Form Builder <= 1.0 – Authenticated Arbitrary File Upload
- N5 Upload Form <= 1.0 – Unauthenticated Arbitrary File Upload to RCE
- WP-Curricul Vitea Free <= 6.3 – Unauthenticated Arbitrary File Upload to RCE
- Quiz And Survey Master < 7.1.14 – Authenticated SQL injection via Rest API
- Quiz And Survey Master < 7.1.12 – Authenticated SQL injection via shortcode
- Vertical News Scroller < 1.17 – Authenticated Reflected Cross-Site Scripting (XSS)
- Facebook for WordPress < 3.0.0 – PHP Object Injection with POP Chain
- Facebook for WordPress 3.0.0-3.0.3 – CSRF to Stored XSS and Settings Deletion
- All Thrive Themes and Plugins – Unauthenticated Option Update
- MapifyLife <= 3.3.0 – Authenticated Stored Cross-Site Scripting (XSS)
- SecuPress < 2.0 – Unauthenticated Arbitrary IP Ban
- Mapplic and Mapplic Lite – SSRF to Stored Cross-Site Scripting (XSS)
- GiveWP < 2.10.0 – Reflected Cross Site Scripting (XSS)
- Controlled Admin Access < 1.5.2 – Improper Access Control & Privilege Escalation
- WooCommerce Help Scout < 2.9.1 – Unauthenticated Arbitrary File Upload leading to RCE
- WordPress Related Posts <= 3.6.4 – Authenticated Stored Cross-Site Scripting (XSS)
- PhastPress < 1.111 – Open Redirect
- WP Page Builder < 1.2.4 – Multiple Stored Cross-Site scripting (XSS)
- WP Page Builder < 1.2.4 – Insecure default configuration Allows Subscribers Editing Access to Posts
- Elementor < 3.1.2 – Authenticated Stored Cross-Site Scripting (XSS) in Image Box Widget
- Elementor < 3.1.2 – Authenticated Stored Cross-Site Scripting (XSS) in Icon Box Widget
- Elementor < 3.1.2 – Authenticated Stored Cross-Site Scripting (XSS) in Accordion Widget
- Elementor < 3.1.2 – Authenticated Stored Cross-Site Scripting (XSS) in Divider Widget
- Elementor < 3.1.2 – Authenticated Stored Cross-Site Scripting (XSS) in Heading Widget
- Elementor < 3.1.2 – Authenticated Stored Cross-Site Scripting (XSS) in Column Element
- BuddyPress < 7.2.1 – Invite Member to Join Group
- BuddyPress < 7.2.1 – Manage BuddyPress Member Types
- BuddyPress < 7.2.1 – Read Private Messages
- BuddyPress < 7.2.1 – Force a Friendship
- BuddyPress < 7.2.1 – REST API Privilege Escalation
- Paid Membership Pro < 2.5.6 – Authenticated SQL Injection
- wpDataTables < 3.4.2 – Blind SQL Injection via length Parameter
- wpDataTables < 3.4.2 – Blind SQL Injection via start Parameter
- wpDataTables < 3.4.2 – Improper Access Control leading to Table Data Deletion
- wpDataTables < 3.4.2 – Improper Access Control leading to Table Permission Takeover
- Flo Forms < 1.0.36 – Authenticated Options Change to Stored XSS
- SEO Redirection <= 6.3 – Authenticated Reflected Cross-Site Scripting (XSS)
- WP Super Cache < 1.7.2 – Authenticated Remote Code Execution (RCE)
- Tutor LMS < 1.8.3 – SQL Injection via tutor_answering_quiz_question/
get_answer_by_id - Tutor LMS < 1.7.7 – SQL Injection via tutor_place_rating
- Tutor LMS < 1.7.7 – Unprotected AJAX including Privilege Escalation
- Tutor LMS < 1.8.3 – SQL Injection via tutor_quiz_builder_get_
question_form - Tutor LMS < 1.8.3 – SQL Injection via tutor_quiz_builder_get_
answers_by_question - Tutor LMS < 1.7.7 – SQL Injection via tutor_mark_answer_as_correct
- Related Posts for WordPress < 2.0.4 – Authenticated Reflected Cross-Site Scripting (XSS)
- Social Slider Widget < 1.8.5 – Authenticated Reflected Cross-Site Scripting (XSS)
- VM Backups <= 1.0 – CSRF to Stored Cross-Site Scripting (XSS)
- VM Backups <= 1.0 – CSRF to Database Backup Download
- JH 404 Logger <= 1.1 – Unauthenticated Stored Cross-Site Scripting (XSS)
- Five Star Restaurant Menu < 2.2.1 – Unauthenticated PHP Object Injection
- Database Backups <= 1.2.2.6 – CSRF to Backup Download
- SuperStoreFinder & SuperInteractiveMaps – Unauthenticated SQL Injections
- The Plus Addons for Elementor Page Builder < 4.1.7 – Authentication Bypass
- WooCommerce Upload Files < 59.4 – Unauthenticated Arbitrary File Upload
- User Profile Picture < 2.5.0 – Sensitive Information Disclosure
- Advanced Order Export For WooCommerce < 3.1.8 – Reflected Cross-Site Scripting (XSS)
- WP GDPR Compliance < 1.5.6 – Unauthenticated Stored Cross-Site Scripting (XSS)
- Multiple Plugins – CSRF Nonce Bypasses
WordPress Theme Vulnerabilities / WordPres Témák biztonsági kockázatai
- Goto – Tour & Travel < 2.0 – Unauthenticated Reflected XSS
- Business Directory <= 1.2.0 – Unauthenticated Reflected Cross-Site Scripting (XSS)
- All Thrive Themes Legacy Themes < 2.0.0 – Unauthenticated Arbitrary File Upload and Option Deletion
- All Thrive Themes and Plugins – Unauthenticated Option Update
A felsorolt pluginek közül mi a WP Page Builder, Elementor, WP GDPR Compliance plugineket használjuk. Az aktuális frissítésekről a WordFence és/vagy a ManageWP szolgáltatásai révén értesülünk és tesszük meg a szükséges lépéseket.
0 hozzászólás