Estamos anexando uma visão geral das vulnerabilidades e notícias relacionadas ao WordPress recentemente publicadas.
Em janeiro, vimos mais de 23 plugins vulneráveis que apresentam vulnerabilidades que afetam mais de 1,4 milhão de sites.
Se você estiver usando algum dos plug-ins mencionados, precisará atualizá-los para a versão mais recente o mais rápido possível e nunca esquecer de usar plugins ReCAPTHA para evitar spam e boots em seus formulários.
Os sites hospedados nos servidores da HOST CURITIBA instalado estão protegidos contra os problemas de segurança, porém você desenvolvedor deve atualizar seus addons e instalar recaptha para seus formulários. precisa de um plano de gerenciamento de segurança? nós faremos as atualizações necessárias mensalmente. consulte os planos de gerenciamento.
DOM Cross-Site Scripting in Chatbot with IBM Watson Plugin
Vulnerability type: DOM-based XSS
Vulnerable version: 0.8.21 and below
Number of sites affected: 2 000+
--------------------------------------
Authenticated Stored Cross-Site Scripting Issue in Contextual Adminbar Color Plugin
Vulnerability type: Authenticated stored cross-site scripting issue
Vulnerable version: 0.3 and below
Number of sites affected: 40+
--------------------------------------
Authenticated Arbitrary Plugin Deactivation in 2J SlideShow Plugin
Vulnerability type: Authenticated arbitrary plugin deactivation
Vulnerable version: 1.3.40 and below
Number of sites affected: 3 000+
--------------------------------------
Broken Authentication Leading To Unauthenticated Stored XSS in Batch-Move Posts Plugin
Vulnerability type: Broken authentication leading to unauthenticated stored XSS
Vulnerable version: 1.5 and below
Number of sites affected: N/A
--------------------------------------
CSRF to XSS in Marketo Forms and Tracking Plugin
Vulnerability type: CSRF to XSS
Vulnerable version: 1.0.2 and below
Number of sites affected: N/A
--------------------------------------
Reflected XSS in Chained Quiz Plugin
Vulnerability type: Reflected XSS
Vulnerable version: 1.1.8.2 and below
Number of sites affected: 1 000+
--------------------------------------
Multiple Vulnerabilities in WP Database Reset Plugin
Vulnerability type: Unauthenticated database reset
Vulnerable version: 3.1 and below
Number of sites affected: 80 000+
--------------------------------------
Vulnerability type: Privilege escalation
Vulnerable version: 3.1 and below
Number of sites affected: 80 000+
--------------------------------------
Reflected Cross-Site Scripting in LearnDash Plugin
Vulnerability type: Reflected cross-site Scripting (XSS) issue on the [ld_profile] search field
Vulnerable version: fixed in version 3.1.2
Number of sites affected: N/A
--------------------------------------
Authenticated Stored XSS in Video on Admin Dashboard
Vulnerability type: Authenticated stored XSS
Vulnerable version: fixed in version 1.1.4
Number of sites affected: 40+
--------------------------------------
Authenticated Stored XSS in Computer Repair Shop Plugin
Vulnerability type: Authenticated stored XSS
Vulnerable version: fixed in version 2.0
Number of sites affected: 40+
--------------------------------------
CSV Injection in TablePress Plugin
Vulnerability type: CSV injection
Vulnerable version: 1.10 and below
Number of sites affected: 800 000+
--------------------------------------
CSV Injection in WooCommerce – Store Exporter Plugin
Vulnerability type: CSV injection
Vulnerable version: 2.4 and below
Number of sites affected: 20 000+
--------------------------------------
Authentication Bypass in Backup and Staging by WP Time Capsule
Vulnerability type: Authentication bypass
Vulnerable version: 1.21.16 and below
Number of sites affected: 20 000+
--------------------------------------
Authentication Bypass in InfiniteWP Client Plugin
Vulnerability type: Authentication bypass
Vulnerable version: 1.9.4.5 and below
Number of sites affected: 300 000+
--------------------------------------
Multiple Vulnerabilities Patched in Minimal Coming Soon & Maintenance Mode – Coming Soon Page Plugin
Vulnerability type: CSRF to Stored XSS and Setting Changes
Vulnerable version: 2.15 and below
Number of sites affected: 80 000+
Vulnerability type: Insecure permissions: enable and disable maintenance mode
Vulnerable version: 2.15 and below
Number of sites affected: 80 000+
--------------------------------------
Multiple CSRF & XSS in Ultimate Auction Plugin
Vulnerability type: Multiple CSRF & XSS
Vulnerable version: 4.0.6 and below
Number of sites affected: 3 000+
--------------------------------------
Authenticated Code Injection in ElegantThemes (Divi, Extra, Divi-Builder)
Vulnerability type: Authenticated code injection
Vulnerable version: 4.0.10 and below
Number of sites affected: N/A
--------------------------------------
CSRF to XSS in WooCommerce Conversion Tracking Plugin
Vulnerability type: CSRF to XSS
Vulnerable version: 2.0.5 and below
Number of sites affected: 20 000+
--------------------------------------
Post Submission Spoofing & Stored XSS in Postie Plugin
Vulnerability type: Post submission spoofing & stored XSS
Vulnerable version: 1.9.40 and below
Number of sites affected: 20 000+
--------------------------------------
Unauthorized Authenticated Users Export in Import Users From CSV with Meta
Vulnerability type: Unauthorised authenticated users export
Vulnerable version: 1.15
Number of sites affected: 30 000+
--------------------------------------
Unauthenticated Reflected XSS in Ultimate FAQ Plugin
Vulnerability type: Unauthenticated reflected XSS
Vulnerable version: 1.8.30 and below
Number of sites affected: 40 000+
--------------------------------------
Arbitrary API Key update via CSRF in WP Simple Spreadsheet Fetcher For Google Plugin
Vulnerability type: Arbitrary API key update via CSRF
Vulnerable version: 0.3.7 and below
Number of sites affected: about 10
--------------------------------------
