Plugins WordPress

  • WP Support Plus Responsive Ticket System <= 8.0.7 – Remote Code Execution (RCE)
  • WP Mail Logging <= 1.8.2 – Stored Cross-Site Scripting
  • Email Log <= 2.2.2 – Stored Cross-Site Scripting (XSS)
  • UserPro <= 4.9.17 – Authentication Bypass
  • Ultimate Instagram Feed <= 1.3.1 – Authenticated Cross-Site Scripting (XSS)
  • WPML Translation Management <= 2.4.1 – PHP Object Injection
  • Ultimate Instagram Feed <= 1.3 – Authenticated Cross-Site Scripting (XSS)
  • Shortcodes Ultimate <= 5.0.0 – Authenticated Contributor Code Execution

 

Thèmes WordPress

  • Pinfinity Theme <= 1.9.2 – Reflected Cross-site Scripting (XSS)
  • Bridge Theme <= 11.1 – DOM Cross-Site Scripting (XSS)
  • Salutation Responsive WordPress + BuddyPress Theme <= 3.0.15 – Stored XSS
  • Avada Theme <= 5.1.4 – Stored Cross-Site Scripting (XSS) & CSRF
  • Atahualpa Theme – Authenticated Cross-Site Scripting (XSS)
  • Javo Spot Premium Theme – Unauthenticated Directory Traversal
  • PageLines Platform Theme <= 1.1.4 – Cross-Site Request Forgery (CSRF)

 

Failles WordPress

  • WordPress <= 4.8.2 – $wpdb->prepare() Weakness
  • WordPress 2.9.2-4.8.1 – Open Redirect
  • WordPress 3.0-4.8.1 – Path Traversal in Unzipping
  • WordPress 2.3.0-4.8.1 – $wpdb->prepare() potential SQL Injection
  • WordPress 4.2.3-4.8.1 – Authenticated Cross-Site Scripting (XSS) in Visual Editor
  • WordPress 4.4-4.8.1 – Cross-Site Scripting (XSS) in oEmbed
  • WordPress 4.4-4.8.1 – Path Traversal in Customizer

L’extension « Plugin Security Scanner » envoi des alertes email sur une ancienne faille corrigée. C’est un faux-positif, ne tenez pas compte de cet email.
WordPress 2.3-4.8.3 – Host Header Injection in Password Reset

Nous vous conseillons vivement de vérifier les mises à jour de ces plugins/thèmes.