Plugins WordPress

  • pootle button <= 1.1.1 – Authenticated Cross-Site Scripting (XSS)
  • Invite Anyone <= 1.3.18 – Unauthenticated PHP Object Injection
  • Simple Login Log <= 1.1.0 – Authenticated SQL Injection
  • Import any XML or CSV File to WordPress <= 3.4.5 – Cross-Site Scripting (XSS)
  • Appointments <= 2.2.1 – Unauthenticated PHP Object Injection
  • Flickr Gallery <= 1.5.2 – Unauthenticated PHP Object Injection
  • RegistrationMagic-Custom Registration Forms <= 3.7.9.2 – Unauthenticated PHP Object Injection

 

Thèmes WordPress

  • Pinfinity Theme <= 1.9.2 – Reflected Cross-site Scripting (XSS)
  • Bridge Theme <= 11.1 – DOM Cross-Site Scripting (XSS)
  • Salutation Responsive WordPress + BuddyPress Theme <= 3.0.15 – Stored XSS
  • Avada Theme <= 5.1.4 – Stored Cross-Site Scripting (XSS) & CSRF
  • Atahualpa Theme – Authenticated Cross-Site Scripting (XSS)
  • Javo Spot Premium Theme – Unauthenticated Directory Traversal
  • PageLines Platform Theme <= 1.1.4 – Cross-Site Request Forgery (CSRF)

 

Failles WordPress

  • WordPress 2.9.2-4.8.1 – Open Redirect
  • WordPress 3.0-4.8.1 – Path Traversal in Unzipping
  • WordPress 2.3.0-4.8.1 – $wpdb->prepare() potential SQL Injection
  • WordPress 4.2.3-4.8.1 – Authenticated Cross-Site Scripting (XSS) in Visual Editor
  • WordPress 4.4-4.8.1 – Cross-Site Scripting (XSS) in oEmbed
  • WordPress 4.4-4.8.1 – Path Traversal in Customizer
  • WordPress 2.3.0-4.7.4 – Authenticated SQL injection

L’extension « Plugin Security Scanner » envoi des alertes email sur une ancienne faille corrigée. C’est un faux-positif, ne tenez pas compte de cet email.
WordPress 2.3-4.8.2 – Host Header Injection in Password Reset

Nous vous conseillons vivement de vérifier les mises à jour de ces plugins/thèmes.