Fiind una dintre cele mai populare platforme CMS, WordPress este, în consecință, și cea mai vulnerabilă la atacuri informatice. De aceea, un site actualizat în permanență este un site care funcționează în parametri optimi de securitate.
Actualizările vin cu îmbunătățiri ale sistemului și a siguranței acestuia și sunt indispensabile. Conform statisticilor WordPress.org, doar 23% din site-urile WordPress sunt actualizate la ultima versiune iar 52% din vulnerabilități se găsesc în pluginuri.
Mai jos prezentăm rezumatul vulnerabilităților WordPress pentru luna octombrie 2020.
VULNERABILITĂȚI WORDPRESS
- WordPress < 5.5.2 – Cross-Site Request Forgery (CSRF) to Change Theme Background
- WordPress < 5.5.2 – Protected Meta That Could Lead to Arbitrary File Deletion
- WordPress < 5.5.2 – Stored XSS in Post Slugs
- WordPress < 5.5.2 – DoS Attack Could Lead to RCE
- WordPress < 5.5.2 – XML-RPC Privilege Escalation
- WordPress < 5.5.2 – Cross-Site Scripting (XSS) via Global Variables
- WordPress < 5.5.2 – Disable Spam Embeds from Disabled Sites on a Multisite Network
- WordPress < 5.5.2 – Hardening Deserialization Requests
VULNERABILITĂȚI ALE PLUGIN-URILOR WORDPRESS
- SW Ajax WooCommerce Search < 1.2.8 – Unauthenticated Reflected XSS & XFS
- Advanced Booking Calendar < 1.6.2 – Unauthenticated SQL Injection
- CM Download Manager < 2.8.0 – Authenticated Cross-Site Scripting
- Loginizer < 1.6.4 – Unauthenticated SQL Injection
- Helios Solutions Brand Logo Slider <= 2.1 – Authenticated Arbitrary File Upload
- SuperStoreFinder Plugins – Unauthenticated Arbitrary File Upload
- Simple Download Monitor < 3.8.9 – SQL Injection
- Simple Download Monitor < 3.8.9 – Unauthenticated Cross-Site Scripting
- TI WooCommerce Wishlist < 1.21.12 – Authenticated WP Options Change
- Comment Press < 2.7.2 – Unauthenticated Cross-Frame Scripting
- Realia <= 1.4 – Unauthenticated IDOR leading to Arbitrary Post Deletion
- Quick Chat <= 4.14 – Authenticated Stored Cross-Site Scripting
- Quick Chat <= 4.14 – Unauthenticated Stored Cross-Site Scripting
- Child Theme Creator by Orbisius < 1.5.2 – CSRF to Arbitrary File Modification/Creation
- Live Chat – Live support < 3.2.0 – Cross-Site Request Forgery
- PowerPress < 8.3.8 – Authenticated Arbitrary File Upload leading to RCE
- Dynamic Content for Elementor < 1.9.6 – Authenticated RCE
- HyperComments <= 1.2.2 – Unauthenticated Arbitrary File Deletion
- WPBakery Page Builder < 6.4.1 – Authenticated Stored Cross-Site Scripting (XSS)
- Post Grid < 2.0.73 & Team Showcase < 1.22.16 – PHP Object Injection
- Post Grid < 2.0.73 & Team Showcase < 1.22.16 – Authenticated Stored Cross-Site Scripting (XSS)
- WordPress + Microsoft Office 365 < 11.7 – JWT Signature Verification Bypass
VULNERABILITĂȚI ALE TEMELOR WORDPRESS
- Greenmart < 2.5.2 – Unauthenticated Reflected Cross-Site Scripting (XSS)
- Greenmart < 2.4.3 – Reflected Cross-Site Scripting (XSS)
- Multiple Themes – Unauthenticated Function Injection
Datele aparțin WpScan