Обзор уязвимостей в мире WordPress за август 2020 года
Обзор любезно предоставлен сервисом WPVulnDB, за что им отдельное спасибо.
Уязвимые плагины под WordPress
- Recall Products <= 0.8 — Authenticated Cross-Site Scripting
- Recall Products <= 0.8 — Authenticated SQL Injection
- WP Smart CRM & Invoices FREE <= 1.8.7 — Authenticated Stored Cross-Site Scripting
- Ceceppa Multilingua <= 1.5.17 — Authenticated Reflected Cross-Site Scripting
- Bulk Change <= 1.0 — Authenticated Reflected Cross-Site Scripting
- WP Floating Menu < 1.4.1 — Authenticated Reflected Cross-Site Scripting
- Subscribe Sidebar <= 1.3.1 — Authenticated Reflected Cross-Site Scripting
- Quiz and Survey Master < 7.0.2 — Unauthenticated Arbitrary File Upload
- FooGallery < 1.9.25 — Authenticated Cross-Site Scripting (XSS)
- Autoptimize < 2.7.7 — Authenticated Arbitrary File Upload
- RSVPMaker < 7.8.2 — Unauthenticated SQL Injection
- WooCommerce — NAB Transact < 2.1.2 — Payment Bypass
- Contact Form — Form builder by Kali Forms < 2.1.2 — Multiple CSRF Bypass Issues
- Contact Form — Form builder by Kali Forms < 2.1.2 — Authenticated Plugin’s Settings Change
- Contact Form — Form builder by Kali Forms < 2.1.2 — Unauthenticated Arbitrary Post Deletion
- Advanced Access Manager < 6.6.2 — Authenticated Information Disclosure
- Advanced Access Manager < 6.6.2 — Authenticated Authorization Bypass and Privilege Escalation
- Discount Rules for WooCommerce < 2.1.0 — Multiple Vulnerabilities
- WP Customer Reviews < 3.4.3 — Multiple Unauthenticated and Low Priv Authenticated Stored XSS
- Elegant Testimonial <= 1.1.6 — Multiple Authenticated Stored Cross-Site Scripting
- Click to Top <= 1.2.7 — Authenticated Stored Cross-Site Scripting
- Change WordPress Login Logo <= 1.1.4 — Authenticated Stored Cross-Site Scripting
- Internal Links Manager <= 2.0.2 — Multiple Authenticated Stored Cross-Site Scripting
- Fancy Lightbox < 1.0.2 — Authenticated Stored Cross-Site Scripting
- Easy Media Download < 1.1.5 — Authenticated Stored Cross-Site Scripting
- NextGEN Gallery Sell Photo <= 1.0.4 — Authenticated Stored Cross-Site Scripting
- Responsive Lightbox2 < 1.0.3 — Authenticated Stored Cross-Site Scripting
- Colorbox Lightbox <= 1.1.2 — Authenticated Stored Cross-Site Scripting
- Sell Photo <= 1.0.5 — Authenticated Stored Cross-Site Scripting
- Sell Media < 2.4.2 — Unauthenticated Reflected Cross-Site Scripting (XSS)
- Quiz and Survey Master < 7.0.1 — Arbitrary File Upload
- Quiz and Survey Master < 7.0.1 — Unauthenticated Arbitrary File Deletion
- Ultimate Member < 2.1.7 — Unauthenticated Open Redirect
- Very Simple Quiz — Multiple Authenticated Stored Cross-Site Scripting (XSS)
- Admin Menu <= 1.1 — Authenticated Cross-Site Scripting (XSS)
- Cardoza WordPress Poll <= 36 — Authenticated SQL Injection
- Ultimate Appointment Booking & Scheduling < 1.1.10 — Authenticated Cross-Site Scripting (XSS)
- RSS Feed Widget < 2.8.1 — Authenticated Cross-Site Scripting (XSS)
- File Manager < 6.5 — Backup File Directory Listing
- The Official WordPress Facebook Chat Plugin < 1.6 — Authenticated Options Change to Chat Takeover
- CMP — Coming Soon & Maintenance < 3.8.2 — Improper Access Controls on AJAX Calls
- Elegant Themes (Divi 3.0 — 4.5.2, Extra 2.0 — 4.5.2, Divi Builder 2.0 — 4.5.2) — Authenticated Arbitrary File Upload
- Newsletter < 6.8.2 — Authenticated PHP Object Injection
- Newsletter < 6.8.2 — Authenticated Cross-Site Scripting (XSS)
- Product Input Fields for WooCommerce < 1.2.7 — Unauthenticated File Download
Уязвимые темы под WordPress
- Home Villas <= 2.2 — Multiple Cross-Site Scripting Issues
- Geo Magazine <= 2.0 — Unauthenticated Reflected XSS
- Nova Lite < 1.3.9 — Unauthenticated Reflected Cross-Site Scripting (XSS)
- Konzept < 2.5 — Unauthenticated Reflected XSS
- FoodBakery < 2.0 — Unauthenticated Reflected XSS
- Elegant Themes (Divi 3.0 — 4.5.2, Extra 2.0 — 4.5.2, Divi Builder 2.0 — 4.5.2) — Authenticated Arbitrary File Upload