Dernières failles de sécurité plugins et WordPress
Plusieurs nouvelles vulnérabilités de plugins et de thèmes WordPress ont été révélées au cours de janvier 2021, nous voulons donc vous tenir au courant. Dans cet article, nous abordons les vulnérabilités de plugins et de thèmes WordPress récents
Il faut rapidement, vérifier les mises à jour de ces plugins/thèmes. Si aucune mise à jour, vous devez les supprimer de votre installation WordPress !.
WordPress Plugin Vulnerabilities
- Under Construction, Coming Soon & Maintenance Mode < 1.1.2 – Server Side Request Forgery (SSRF)
- Under Construction, Coming Soon & Maintenance Mode < 1.1.2 – Reflected Cross-Site Scripting (XSS)
- NextGEN Gallery Pro < 3.1.11 – Reflected Cross-Site Scripting (XSS)
- Web-Stat < 1.4.1 – API Key Disclosure
- Photo Gallery by 10web < 1.5.69 – Reflected Cross-Site Scripting (XSS)
- YITH WooCommerce Gift Cards Premium < 3.3.1 – RCE via Arbitrary File Upload
- QuadMenu < 2.0.7 – Unauthenticated RCE via compiler_save
- WP Content Plus < 3.2 – CSRF Nonce Bypass
- Testimonial Rotator <= 3.0.3 – Authenticated Stored Cross-Site Scripting
- Backup Guard < 1.6.0 – Authenticated Arbitrary File Upload
- eCommerce Product Catalog < 3.0.18 – CSRF Nonce Bypass
- Better Search < 2.5.3 – CSRF Nonce Bypass in Import/Export
- Process Steps Template Designer < 1.3 – CSRF to Stored Cross-Site Scripting (XSS)
- Custom Banners < 3.3 – CSRF Nonce Bypass in saveCustomFields
- Ninja Forms < 3.4.34 – CSRF to OAuth Service Disconnection
- Ninja Forms < 3.4.34 – Administrator Open Redirect
- Ninja Forms < 3.4.34.1 – Authenticated OAuth Connection Key Disclosure
- Ninja Forms < 3.4.34 – Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
- Zebra_Form Library <= 2.9.8 – Reflected Cross-Site Scripting (XSS)
- Theme Editor < 2.6 – Authenticated Arbitrary File Download
- Post SMTP Mailer/Email Log < 2.0.21 – CSRF Nonce Bypass
- All In One WP Security & Firewall < 4.4.6 – Authenticated Cross-Site Scripting (XSS)
- Responsive Menu 4.0.0 – 4.0.3 – Authenticated Arbitrary File Upload
- Responsive Menu < 4.0.4 – CSRF to Arbitrary File Upload
- Responsive Menu < 4.0.4 – CSRF to Settings Update
- Map Block for Google Maps < 1.32 – Unauthorised Google API Key change
- NextGen Gallery < 3.5.0 – CSRF allows File Upload
- NextGen Gallery < 3.5.0 – CSRF allows File Upload, Stored XSS, and RCE
- Ultimate Maps by Supsystic < 1.1.17 – Authenticated SQL Injections
- Pricing Table by Supsystic < 1.8.9 – Authenticated SQL Injections
- Pricing Table by Supsystic < 1.9.0 – Authenticated Stored Cross-Site Scripting
- Newsletter by Supsystic <= 1.5.6 – Authenticated SQL Injection
- Membership by Supsystic <= 1.5.0 – Authenticated SQL Injection
- Digital Publications by Supsystic <= 1.6.11 – Authenticated Stored Cross-Site Scripting (XSS)
- Digital Publications by Supsystic < 1.6.12 – Authenticated Path Traversal
- Data Tables Generator by Supsystic < 1.10.0 – Authenticated SQL Injection
- Data Tables Generator by Supsystic < 1.10.1 – Authenticated Stored Cross-Site Scripting (XSS)
- Contact Form by Supsystic < 1.7.11 – Authenticated SQL Injections
- Contact Form by Supsystic < 1.7.7 – Authenticated Stored Cross-Site Scripting (XSS)
- Backup by Supsystic <= 2.3.9 – Authenticated Arbitrary File Download and Deletion
- WP Amour < 1.5.7 – Authenticated Stored Cross-Site Scripting (XSS)
- Welcart e-Commerce < 2.1.1 – Authenticated SQL Injection
- Paid Membership Pro < 2.5.3 – Unauthorised Order Information Disclosure
- Like Button Rating < 2.6.32 – Unauthenticated Full-Read SSRF
- Ultimate GDPR & CCPA Compliance Toolkit < 2.5 – Unauthenticated Plugin Settings Export and Import
- Name Directory < 1.18 – Cross-Site Request Forgery (CSRF)
- Contact Form 7 Style <= 3.1.9 – Cross-Site Request Forgery to Stored Cross-Site Scripting
- Photo Gallery by 10Web < 1.5.68 – Cross-Site Scripting (XSS)
- Popup Builder < 3.74 – Authenticated Reflected Cross-Site Scripting (XSS)
- MStore API < 3.2.0 – Authentication Bypass With Sign In With Apple
- WP Editor < 1.2.7 – Authenticated SQL injection
- Ivory Search < 4.5.11 – Authenticated Reflected Cross-Site Scripting (XSS)
WordPress Theme Vulnerabilities
Ce qu’il faut faire
Les vulnérabilités n’ont pas été corrigées. Gardez un œil sur le journal des modifications pour une mise à jour qui inclut un correctif.
La maintenance de votre site WordPress permet des mises à jour régulières afin d’éviter les bugs et les problèmes de piratage.
Nous solutions de maintenance WordPress à partir de 34€ ht/ mois
source : WPScan