Dernières failles de sécurité plugins et WordPress
Plusieurs nouvelles vulnérabilités de plugins et de thèmes WordPress ont été révélées au cours de janvier 2021, nous voulons donc vous tenir au courant. Dans cet article, nous abordons les vulnérabilités de plugins et de thèmes WordPress récents
Il faut rapidement, vérifier les mises à jour de ces plugins/thèmes. Si aucune mise à jour, vous devez les supprimer de votre installation WordPress !.
WordPress Plugin Vulnerabilities
- Modern Events Calendar Lite < 5.16.6 – Authenticated SQL Injection
- Modern Events Calendar Lite < 5.16.5 – Authenticated Arbitrary File Upload leading to RCE
- Modern Events Calendar Lite < 5.16.5 – Unauthenticated Events Export
- Modern Events Calendar Lite < 5.16.5 – Authenticated Stored Cross-Site Scripting (XSS)
- Super Forms <= 4.9.602 – Unauthenticated PHP4 File Upload to RCE
- uListing < 1.7 – Unauthenticated Arbitrary Post/Page Deletion
- uListing < 1.7 – Unauthenticated SQL Injections
- uListing < 1.7 – Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
- uListing < 1.7 – Unauthenticated Information Disclosure
- uListing < 1.7 – Unauthenticated WordPress Options Change
- uListing < 1.7 – Unauthenticated Arbitrary Account Change
- uListing < 1.7 – Unauthenticated Arbitrary Account Creation
- Contact Form 7 Database Addon < 1.2.5.6 – CSV Injection
- Doneren met Mollie < 2.8.5 – Unauthorised CSV Export leading to Sensitive Data Disclosure
- Contact Form 7 Database Addon < 1.2.5.4 – Authenticated SQL Injections
- Digital Climate Strike WP <= 1.0.0 – Redirect to Malicious Website due to Compromised JS Asset
- Under Construction < 3.86 – Authenticated Stored Cross-Site Scripting (XSS)
- Stockdio Historical Chart < 2.8.1 – Reflected Cross-Site Scripting (XSS)
- 123ContactForm for WordPress <= 1.5.6 – Unauthenticated Arbitrary File Upload
- 123ContactForm for WordPress <= 1.5.6 – Unauthenticated Arbitrary Post Creation
- 123ContactForm for WordPress <= 1.5.6 – Validation Bypass via Plugin Verification
- e-signature < 1.5.6.8 – Unauthenticated Arbitrary File Upload leading to RCE
- WP Shieldon 1.6.3 – Unauthenticated Cross-Site Scripting (XSS)
- 301 Redirects – Easy Redirect Manager < 2.51 – Authenticated SQL Injection
- Simple Job Board < 2.9.4 – Authenticated Path Traversal Leading to Arbitrary File Download
- FV Flowplayer Video Player < 7.4.38.727 – Authenticated Stored Cross-Site Scripting (XSS)
- Easy Contact Form Pro < 1.1.1.9 – Authenticated Stored Cross-Site Scripting (XSS)
- Elementor Contact Form DB < 1.6 – Unauthenticated & Unauthorised Form Submissions Export
- Elementor Contact Form DB < 1.6 – Plugin Settings Cross-Site Request Forgery
- Orbit Fox by ThemeIsle < 2.10.3 – Authenticated Privilege Escalation
- Orbit Fox by ThemeIsle < 2.10.3 – Authenticated Stored Cross Site Scripting
- WP Quick FrontEnd Editor <= 5.5 – Authenticated Settings Change leading to Stored XSS
- WP Quick FrontEnd Editor <= 5.5 – Authenticated Content Injection
- Custom Global Variables <= 1.0.5 – Stored Cross-Site Scripting (XSS)
- Modal Survey < 2.0.1.8.2 – Authenticated PHP Object Injection
- Modal Survey < 2.0.1.8.2 – Unauthenticated Arbitrary Survey Update, Deletion and Creation
- Modal Survey < 2.0.1.8.2 – Authenticated Reflected Cross-Site Scripting (XSS)
- WP24 Domain Check < 1.6.3 – Authenticated Stored Cross-Site Scripting (XSS)
- Advanced Custom Fields < 5.8.12 – Cross-Site Scripting in Select2 dropdowns
- Elementor < 3.0.14 – SVG Upload Allowed by Default
- Stripe Payments < 2.0.40 – Authenticated Stored Cross-Site Scripting (XSS)
- WP Paginate < 2.1.4 – Authenticated Stored Cross-Site Scripting (XSS)
- Contact Form Submissions <= 1.6.4 – Authenticated SQL Injection
- Contact Form Submissions <= 1.6.4 – Authenticated Double Query SQL injection
Ce qu’il faut faire
Les vulnérabilités n’ont pas été corrigées. Gardez un œil sur le journal des modifications pour une mise à jour qui inclut un correctif.
La maintenance de votre site WordPress permet des mises à jour régulières afin d’éviter les bugs et les problèmes de piratage.
Nous solutions de maintenance WordPress à partir de 34€ ht/ mois