Plugins WordPress

  • Yoast SEO <= 5.7.1 – Unauthenticated Cross-Site Scripting (XSS)
  • Formidable Forms <= 2.05.02 – Multiple Vulnerabilities
  • Duplicator <= 1.2.28 – Stored Cross-Site Scripting (XSS)
  • WP Support Plus Responsive Ticket System <= 8.0.7 – Remote Code Execution (RCE)
  • WP Mail Logging <= 1.8.2 – Stored Cross-Site Scripting
  • Email Log <= 2.2.2 – Stored Cross-Site Scripting (XSS)
  • UserPro <= 4.9.17 – Authentication Bypass
  • Ultimate Instagram Feed <= 1.3.1 – Authenticated Cross-Site Scripting (XSS)

 

Thèmes WordPress

  • Pinfinity Theme <= 1.9.2 – Reflected Cross-site Scripting (XSS)
  • Bridge Theme <= 11.1 – DOM Cross-Site Scripting (XSS)
  • Salutation Responsive WordPress + BuddyPress Theme <= 3.0.15 – Stored XSS
  • Avada Theme <= 5.1.4 – Stored Cross-Site Scripting (XSS) & CSRF
  • Atahualpa Theme – Authenticated Cross-Site Scripting (XSS)
  • Javo Spot Premium Theme – Unauthenticated Directory Traversal
  • PageLines Platform Theme <= 1.1.4 – Cross-Site Request Forgery (CSRF)

 

Failles WordPress

  • WordPress 2.9.2-4.8.1 – Open Redirect
  • WordPress 3.0-4.8.1 – Path Traversal in Unzipping
  • WordPress 2.3.0-4.8.1 – $wpdb->prepare() potential SQL Injection
  • WordPress 4.2.3-4.8.1 – Authenticated Cross-Site Scripting (XSS) in Visual Editor
  • WordPress 4.4-4.8.1 – Cross-Site Scripting (XSS) in oEmbed
  • WordPress 4.4-4.8.1 – Path Traversal in Customizer
  • WordPress 2.3.0-4.7.4 – Authenticated SQL injection

L’extension « Plugin Security Scanner » envoi des alertes email sur une ancienne faille corrigée. C’est un faux-positif, ne tenez pas compte de cet email.
WordPress 2.3-4.8.2 – Host Header Injection in Password Reset

Nous vous conseillons vivement de vérifier les mises à jour de ces plugins/thèmes.