Обзор уязвимостей в мире WordPress за июнь 2020 года
Обзор любезно предоставлен сервисом WPVulnDB, за что им отдельное спасибо.
Уязвимости в ядре WordPress
- WordPress < 5.4.2 — Disclosure of Password-Protected Page/Post Comments
- WordPress < 5.4.2 — Misuse of set-screen-option Leading to Privilege Escalation
- WordPress < 5.4.2 — Authenticated XSS via Theme Upload
- WordPress < 5.4.2 — Open Redirection
- WordPress < 5.4.2 — Authenticated XSS via Media Files
- WordPress < 5.4.2 — Authenticated XSS in Block Editor
Уязвимые плагины под WordPress
- ACF to REST API < 3.3.0 — Unauthenticated Arbitrary wp_options Disclosure
- Coming Soon Page, Under Construction & Maintenance Mode by SeedProd < 5.1.2 — Authenticated Stored Cross Site Scripting (XSS)
- WooCommerce < 4.2.1 — Potential Cross-Site Scripting (XSS) via SelectWoo
- YITH WooCommerce Ajax Product Filter < 3.11.1 — Authenticated Reflected Cross-Site Scripting (XSS)
- WP-Pro-Quiz <= 0.37 — CSRF Leading to Arbitrary Quiz Deletion
- All in One Support Button < 1.8.8 — Authenticated Stored Cross-Site Scripting
- Testimonial Rotator < 3.0.3 — Authenticated Stored Cross-Site Scripting (XSS)
- Delete All Comments Easily <= 1.3 — CSRF Leading to All Comments Deletion
- KingComposer < 2.9.4 — Multiple Critical Issues
- wpDiscuz < 5.3.6 — Unauthenticated SQL Injection
- Brizy — Page Builder < 1.0.126 — Improper Access Controls on AJAX Calls
- SportsPress < 2.7.2 — Authenticated Stored Cross-Site Scripting
- Elementor Page Builder < 2.9.10 — Authenticated Stored XSS
- JobSearch < 1.5.1 — Unauthenticated Reflected Cross-Site Scripting (XSS)
- AdRotate < 5.8.4 — Authenticated SQL Injection
Уязвимые темы под WordPress
- Nexos — Real Estate < 1.8 — Unauthenticated Reflected XSS & SQL Injection
- Travel Booking < 2.8.2 — Unauthenticated Reflected XSS
- CityBook < 2.4.4 — Unauthenticated Reflected XSS
- TownHub < 1.3.0 — Unauthenticated Reflected XSS
- Careerfy < 3.9.0 — Unauthenticated Reflected Cross-Site Scripting (XSS)
- Newspaper < 10.3.4 — Authenticated Reflected Cross-Site Scripting