WordPressのコア、プラグイン、テーマの脆弱性

WordPressの脆弱性情報はメルマガに移動しました。
毎週その週に見つかったWordPressの脆弱性の情報が送られてきます。

無料登録はこちら

プラグイン

02/18/2021-02/25/2021

  • – eCommerce Product Catalog < 3.0.18 – CSRF Nonce Bypass
  • – Better Search < 2.5.3 – CSRF Nonce Bypass in Import/Export
  • – Process Steps Template Designer < 1.3 – CSRF to Stored Cross-Site Scripting (XSS)
  • – Custom Banners < 3.3 – CSRF Nonce Bypass in saveCustomFields
  • – Backup Guard < 1.6.0 – Authenticated Arbitrary File Upload
  • – Testimonial Rotator <= 3.0.3 – Authenticated Stored Cross-Site Scripting
  • – QuadMenu < 2.0.7 – Unauthenticated RCE via compiler_save
  • – WP Content Plus < 3.2 – CSRF Nonce Bypass
  • – Photo Gallery by 10web < 1.5.69 – Reflected Cross-Site Scripting (XSS)
  • – YITH WooCommerce Gift Cards Premium < 3.3.1 – RCE via Arbitrary File Upload

02/09/2021-02/17/2021

  • All In One WP Security & Firewall < 4.4.6 – Authenticated Cross-Site Scripting (XSS)
  • Responsive Menu < 4.0.4 – CSRF to Arbitrary File Upload
  • Map Block for Google Maps < 1.32 – Unauthorised Google API Key change
  • Post SMTP Mailer/Email Log < 2.0.21 – CSRF Nonce Bypass
  • Theme Editor < 2.6 – Authenticated Arbitrary File Download
  • Zebra_Form Library <= 2.9.8 – Reflected Cross-Site Scripting (XSS)

02/01/2021-02/08/2021

  • Contact Form 7 Style <=  3.1.9 – Cross-Site Request Forgery to Stored Cross-Site Scripting
  • Ultimate GDPR & CCPA Compliance Toolkit < 2.5 – Unauthenticated Plugin Settings Export and Import
  • Name Directory < 1.18 – Cross-Site Request Forgery (CSRF)
  • Paid Membership Pro < 2.5.3 – Unauthorised Order Information Disclosure
  • Like Button Rating < 2.6.32 – Unauthenticated Full-Read SSRF
  • NextGen Gallery < 3.5.0 – CSRF allows File Upload
  • NextGen Gallery < 3.5.0 – CSRF allows File Upload, Stored XSS, and RCE
  • Ultimate Maps by Supsystic <= 1.1.14 – Authenticated SQL Injection
  • Pricing Table by Supsystic <= 1.8.8 – Authenticated SQL Injection
  • Pricing Table by Supsystic <= 1.8.8 – Authenticated Stored Cross-Site Scripting
  • Newsletter by Supsystic <= 1.5.6 – Authenticated SQL Injection
  • Membership by Supsystic <= 1.5.0 – Authenticated SQL Injection
  • Digital Publications by Supsystic <= 1.6.11 – Authenticated Stored Cross-Site Scripting (XSS)
  • Digital Publications by Supsystic <= 1.6.11 – Authenticated Path Traversal
  • Data Tables Generator by Supsystic <= 1.9.99 – Authenticated SQL Injection
  • Data Tables Generator by Supsystic <= 1.9.99 – Authenticated Stored Cross-Site Scripting (XSS)
  • Contact Form by Supsystic <= 1.7.8 – Authenticated SQL Injection
  • Contact Form by Supsystic < 1.7.7 – Authenticated Stored Cross-Site Scripting (XSS)
  • Backup by Supsystic <= 2.3.9 – Authenticated Arbitrary File Download and Deletion
  • WP Amour < 1.5.7 – Authenticated Stored Cross-Site Scripting (XSS)
  • Welcart e-Commerce < 2.1.1 – Authenticated SQL Injection

01/06/2021~01/12/2021

  • Advanced Custom Fields < 5.8.12 – Cross-Site Scripting in Select2 dropdowns
  • Elementor < 3.0.14 – SVG Upload Allowed by Default
  • Modal Survey < 2.0.1.8.2 – Authenticated PHP Object Injection
  • Modal Survey < 2.0.1.8.2 – Unauthenticated Arbitrary Survey Update, Deletion and Creation
  • Modal Survey < 2.0.1.8.2 – Authenticated Reflected Cross-Site Scripting (XSS)
  • Custom Global Variables <= 1.0.5 – Stored Cross-Site Scripting (XSS)

12/18/2020~12/23/2020

  • Contact Form 7 < 5.3.2 – Unrestricted File Upload
  • Simple Social Buttons < 3.2.1 – Unauthenticated Reflected Cross-Site Scripting
  • Simple Social Buttons < 3.2.0 – Reflected Cross-Site Scripting
  • Envira Gallery Lite < 1.8.3.3 – Authenticated Stored Cross-Site Scripting

12/10/2020~12/17/2020

  • Redux Framework 4.1.22 – 4.1.23 – CSRF Nonce Validation Bypass
  • Redux Framework < 4.1.21 – CSRF Nonce Validation Bypass
  • Total Upkeep by BoldGrid <= 1.14.9 – Unauthenticated Backup Download
  • Total Upkeep by BoldGrid <= 1.14.9 – Sensitive Data Disclosure (Server IP Address, UID etc)
  • Directories Pro < 1.3.46 – Authenticated Self-Reflected Cross-Site Scripting
  • Directories Pro < 1.3.46 – Authenticated Reflected Cross-Site Scripting
  • Ultimate Category Excluder < 1.2 – Cross-Site Request Forgery
  • Pagelayer < 1.3.5 – Multiple Reflected Cross-Site Scripting (XSS)
  • DiveBook <= 1.1.4 – Unauthenticated SQL Injection
  • DiveBook <= 1.1.4 – Unauthenticated Reflected XSS
  • DiveBook <= 1.1.4 – Improper Authorisation Check

12/03/2020~12/09/2020

  • Themify Portfolio Post < 1.1.6 – Authenticated Stored Cross-Site Scripting
  • Easy WP SMTP < 1.4.3 – Debug Log Disclosure

11/27/2020~12/02/2020

  • Profile Builder & Profile Builder Pro < 3.3.3 – Authenticated Blind SQL Injection
  • Age Gate <= 2.13.4 – Unauthenticated Open Redirect
  • BuddyPress < 6.4.0 – Lack of Capability Check on Profile Page

11/20/2020~11/26/2020

  • Contextual Related Posts < 2.9.4 – CSRF Nonce Validation Bypass
  • Anti-Spam by CleanTalk < 5.149 – Multiple Authenticated SQL Injections
  • Weforms <= 1.4.7 – CSV Injection
  • Easy Registration Forms <= 2.0.6 – CSV Injection
  • Import and export users and customers < 1.16.3.6 – CSV Injection
  • Secure File Manager – Authenticated Remote Command Execution
  • Media Library Assistant < 2.90 – Authenticated Blind SQL Injection
  • WP Google Map Plugin <= 4.1.3 – Authenticated SQL Injection
  • Events Manager <= 5.9.8.1 – Authenticated Stored Cross-Site Scripting
  • WPJobBoard < 5.7.0 – Unauthenticated SQL Injection

11/05/2020~11/19/2020

  • Fancy Product Designer < 4.5.1

11/04/2020~11/12/2020

  • Ultimate Member

10/22/2020~11/03/2020

  • GDPR CCPA Compliance Support < 2.4
  • AccessPress Social Icons < 1.8.1
  • Advanced Booking Calendar < 1.6.2
  • SW Ajax WooCommerce Search < 1.2.8

コード書かないウェブ制作を学べるサロン『TOFUラボ』

目次