Обзор уязвимостей в мире WordPress за июль 2020 года
Обзор любезно предоставлен сервисом WPVulnDB, за что им отдельное спасибо.
Уязвимые плагины под WordPress
- Quiz And Survey Master < 7.0.0 — Authenticated Stored Cross-Site Scripting (XSS)
- Gallery PhotoBlocks < 1.2.0 — Authenticated Cross-Site Scripting (XSS)
- Comments — wpDiscuz 7.0.0 — 7.0.4 — Unauthenticated Arbitrary File Upload
- WooCommerce Subscriptions < 2.6.3 — Unauthenticated Stored Cross-Site Scripting (XSS)
- JobSearch < 1.5.6 — Unauthenticated Reflected XSS
- Social Sharing Plugin < 1.2.10 — Cross-Site Request Forgery in Settings
- TC Custom JavaScript < 1.2.2 — Unauthenticated Stored Cross-Site Scripting (XSS)
- JobSearch < 1.5.5 — Unauthenticated Reflected Cross-Site Scripting
- Email Subscribers & Newsletters < 4.5.1 — Authenticated SQL injection in es_newsletters_settings_callback()
- Email Subscribers & Newsletters < 4.5.1 — Cross-site Request Forgery in send_test_email()
- All in One SEO Pack < 3.6.2 — Authenticated Stored Cross-Site Scripting
- Email Verification for WooCommerce < 1.8.2 — Loose Comparison to Authentication Bypass
- SendPress Newsletter < 1.20.7.13 — Authenticated Stored Cross-Site Scripting (XSS)
- Form Maker by 10Web < 1.13.40 — Authenticated Reflected XSS
- Newsletter < 6.7.7 — Authenticated Stored Cross-Site Scripting
- WP-Live Chat by 3CX < 8.2.0 — Authenticated Stored Cross-Site Scripting
- SRS Simple Hits Counter <= 1.0.4 — Unauthenticated Blind SQL Injection
- Powie’s WHOIS Domain Check < 0.9.33 — Authenticated Stored Cross-Site Scripting
- Wise Chat < 2.8.4 — CSV Injection
- Knight Lab Timeline < 3.7.0.0 — Outdated TimelineJS library could Lead to Stored XSS
- KingComposer < 2.9.5 — Unauthenticated Reflected Cross-Site Scripting
- Adning Advertising < 1.5.6 — Unauthenticated Arbitrary File Upload/Deletion
- Security & Malware scan by CleanTalk < 2.51 — Security Nonce Leak leading to Unauthorised AJAX call
- JobSearch < 1.5.3 — Multiple Cross-Site Scripting Issues
- Testimonials Widget <= 3.5.1 — Multiple Authenticated Stored (XSS)
- Payment Form For Paypal Pro < 1.1.65 — Unauthenticated SQL Injection
- WPForms < 1.6.0.2 — Authenticated Stored Cross-Site Scripting (XSS)
Уязвимые темы под WordPress
- JobCareer < 3.5 — Multiple Cross-Site Scripting (XSS)
- Reality < 2.5.6 — Multiple Reflected Cross-Site Scripting (XSS)
- Real Estate 7 < 3.0.4 — Unauthenticated Reflected XSS
- CarePlus <= 1.2 — Unauthenticated Reflected Cross-Site Scripting (XSS)
- Careerfy < 4.4.0 — Unauthenticated Reflected XSS
- Careerfy < 4.3.0 — Unauthenticated Reflected Cross-Site Scripting
- Golo < 1.3.3 — Unauthenticated Reflected XSS
- Jetapo < 1.1 — Unauthenticated Reflected Cross-Site Scripting (XSS)
- Workio – Job Board < 1.0.3 — Unauthenticated Reflected XSS
- Workup – Job Board < 2.1.6 — Unauthenticated Reflected XSS
- Findgo — Directory Listing < 1.3.32 — Unauthenticated Reflected and Authenticated Stored XSS
- Prolisting — Directory Listing < 1.27 — Unauthenticated Reflected XSS
- Kormosala – Job Board < 1.0.23 — Unauthenticated Reflected XSS
- Findus — Directory Listing < 1.1.15 — Authenticated Persistent XSS
- InJob < 3.4.1 — Authenticated Reflected Cross-Site Scripting (XSS)
- Travel Booking < 2.8.4 — Unauthenticated Cross-Site Scripting (XSS)
- Travel Booking < 2.8.4 — Unauthenticated SQL Injection
- Monalisa < 2.1.3 — Unauthenticated Reflected Cross-Site Scripting (XSS)
- Careerfy < 4.1.0 — Multiple Cross-Site Scripting (XSS) Issues
- CareerUp < 2.3.1 — Unauthenticated Reflected Cross-Site Scripting