Plugins WordPress

  • Smush Image Compression and Optimization <= 2.7.5 – File Transversal
  • Appointments <= 2.2.1 – Unauthenticated PHP Object Injection
  • Flickr Gallery <= 1.5.2 – Unauthenticated PHP Object Injection
  • RegistrationMagic-Custom Registration Forms <= 3.7.9.2 – Unauthenticated PHP Object Injection
  • Content Timeline – Multiple Blind SQL Injection
  • MarketPress <= 3.2.6 – PHP Object Injection
  • Content Audit <= 1.9.1 – Cross-Site Scripting (XSS) & CSRF
  • Basic Contact Form <= 1.0.3 – Potential Unauthenticated Shell Upload
  • SI CAPTCHA Anti-Spam – files with Spam code (plugin removed from wordpress.org)
  • Display Widgets 2.6.0-2.6.3.1 – Backdoored

 

Thèmes WordPress

  • Pinfinity Theme <= 1.9.2 – Reflected Cross-site Scripting (XSS)
  • Bridge Theme <= 11.1 – DOM Cross-Site Scripting (XSS)
  • Salutation Responsive WordPress + BuddyPress Theme <= 3.0.15 – Stored XSS
  • Avada Theme <= 5.1.4 – Stored Cross-Site Scripting (XSS) & CSRF
  • Atahualpa Theme – Authenticated Cross-Site Scripting (XSS)
  • Javo Spot Premium Theme – Unauthenticated Directory Traversal
  • PageLines Platform Theme <= 1.1.4 – Cross-Site Request Forgery (CSRF)

 

Failles WordPress

  • WordPress 2.9.2-4.8.1 – Open Redirect
  • WordPress 3.0-4.8.1 – Path Traversal in Unzipping
  • WordPress 2.3.0-4.8.1 – $wpdb->prepare() potential SQL Injection
  • WordPress 4.2.3-4.8.1 – Authenticated Cross-Site Scripting (XSS) in Visual Editor
  • WordPress 4.4-4.8.1 – Cross-Site Scripting (XSS) in oEmbed
  • WordPress 4.4-4.8.1 – Path Traversal in Customizer
  • WordPress 2.3.0-4.7.4 – Authenticated SQL injection

L’extension « Plugin Security Scanner » envoi des alertes email sur une ancienne faille corrigée. C’est un faux-positif, ne tenez pas compte de cet email.
WordPress 2.3-4.8.2 – Host Header Injection in Password Reset

Nous vous conseillons vivement de vérifier les mises à jour de ces plugins/thèmes.