Plugins WordPress

  • Caldera Forms <= 1.5.4 – Authenticated Cross-Site Scripting (XSS)
  • User Login History <= 1.5 – Cross-Site Scripting (XSS)
  • Contact Form for WordPress – Ultimate Form Builder Lite <= 1.3.6 – SQL Injection
  • WordCamp Talks <= 1.0.0-beta2 – Formula injection via CSV exports
  • Easy Appointments <= 1.11.7 – Cross-Site Scripting (XSS)
  • pootle button <= 1.1.1 – Authenticated Cross-Site Scripting (XSS)
  • Invite Anyone <= 1.3.18 – Unauthenticated PHP Object Injection
  • PopCash.Net Code Integration Tool <= 1.0 – Cross-Site Scripting (XSS)

 

Thèmes WordPress

  • Pinfinity Theme <= 1.9.2 – Reflected Cross-site Scripting (XSS)
  • Bridge Theme <= 11.1 – DOM Cross-Site Scripting (XSS)
  • Salutation Responsive WordPress + BuddyPress Theme <= 3.0.15 – Stored XSS
  • Avada Theme <= 5.1.4 – Stored Cross-Site Scripting (XSS) & CSRF
  • Atahualpa Theme – Authenticated Cross-Site Scripting (XSS)
  • Javo Spot Premium Theme – Unauthenticated Directory Traversal
  • PageLines Platform Theme <= 1.1.4 – Cross-Site Request Forgery (CSRF)

 

Failles WordPress

  • WordPress 2.9.2-4.8.1 – Open Redirect
  • WordPress 3.0-4.8.1 – Path Traversal in Unzipping
  • WordPress 2.3.0-4.8.1 – $wpdb->prepare() potential SQL Injection
  • WordPress 4.2.3-4.8.1 – Authenticated Cross-Site Scripting (XSS) in Visual Editor
  • WordPress 4.4-4.8.1 – Cross-Site Scripting (XSS) in oEmbed
  • WordPress 4.4-4.8.1 – Path Traversal in Customizer
  • WordPress 2.3.0-4.7.4 – Authenticated SQL injection

L’extension « Plugin Security Scanner » envoi des alertes email sur une ancienne faille corrigée. C’est un faux-positif, ne tenez pas compte de cet email.
WordPress 2.3-4.8.2 – Host Header Injection in Password Reset

Nous vous conseillons vivement de vérifier les mises à jour de ces plugins/thèmes.