2020年7月14日〜8月15日迄の間に1件1つの脆弱性が公表されています。

  1. JVN#05502028
    2020/07/22
    WordPress
    クロスサイトリクエストフォージェリの脆弱性
    https://jvn.jp/jp/JVN05502028/
    Social Sharing Plugin

プラグインは要注意ですね。

ちなみにWordPressに関してはJVNに上がっていない情報も仕入れたので貼っておきます。こちらは2020年7月分になります。

WordPress Plugin Vulnerabilities

  • Quiz And Survey Master < 7.0.0 - Authenticated Stored Cross-Site Scripting (XSS)
  • Gallery PhotoBlocks < 1.2.0 - Authenticated Cross-Site Scripting (XSS)
  • Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
  • WooCommerce Subscriptions < 2.6.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
  • JobSearch < 1.5.6 - Unauthenticated Reflected XSS
  • Social Sharing Plugin < 1.2.10 - Cross-Site Request Forgery in Settings
  • TC Custom JavaScript < 1.2.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
  • JobSearch < 1.5.5 - Unauthenticated Reflected Cross-Site Scripting
  • Email Subscribers & Newsletters < 4.5.1 - Authenticated SQL injection in es_newsletters_settings_callback()
  • Email Subscribers & Newsletters < 4.5.1 - Cross-site Request Forgery in send_test_email()
  • All in One SEO Pack < 3.6.2 - Authenticated Stored Cross-Site Scripting
  • Email Verification for WooCommerce < 1.8.2 - Loose Comparison to Authentication Bypass
  • SendPress Newsletter < 1.20.7.13 - Authenticated Stored Cross-Site Scripting (XSS)
  • Form Maker by 10Web < 1.13.40 - Authenticated Reflected XSS
  • Newsletter < 6.7.7 - Authenticated Stored Cross-Site Scripting
  • WP-Live Chat by 3CX < 8.2.0 - Authenticated Stored Cross-Site Scripting
  • SRS Simple Hits Counter <= 1.0.4 - Unauthenticated Blind SQL Injection
  • Powie's WHOIS Domain Check < 0.9.33 - Authenticated Stored Cross-Site Scripting
  • Wise Chat < 2.8.4 - CSV Injection
  • Knight Lab Timeline < 3.7.0.0 - Outdated TimelineJS library could Lead to Stored XSS
  • KingComposer < 2.9.5 - Unauthenticated Reflected Cross-Site Scripting
  • Adning Advertising < 1.5.6 - Unauthenticated Arbitrary File Upload/Deletion
  • Security & Malware scan by CleanTalk < 2.51 - Security Nonce Leak leading to Unauthorised AJAX call
  • JobSearch < 1.5.3 - Multiple Cross-Site Scripting Issues
  • Testimonials Widget <= 3.5.1 - Multiple Authenticated Stored (XSS)
  • Payment Form For Paypal Pro < 1.1.65 - Unauthenticated SQL Injection
  • WPForms < 1.6.0.2 - Authenticated Stored Cross-Site Scripting (XSS)

WordPress Theme Vulnerabilities

  • JobCareer < 3.5 - Multiple Cross-Site Scripting (XSS)
  • Reality < 2.5.6 - Multiple Reflected Cross-Site Scripting (XSS)
  • Real Estate 7 < 3.0.4 - Unauthenticated Reflected XSS
  • CarePlus <= 1.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Careerfy < 4.4.0 - Unauthenticated Reflected XSS
  • Careerfy < 4.3.0 - Unauthenticated Reflected Cross-Site Scripting
  • Golo < 1.3.3 - Unauthenticated Reflected XSS
  • Jetapo < 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Workio – Job Board < 1.0.3 - Unauthenticated Reflected XSS
  • Workup – Job Board < 2.1.6 - Unauthenticated Reflected XSS
  • Findgo - Directory Listing < 1.3.32 - Unauthenticated Reflected and Authenticated Stored XSS
  • Prolisting - Directory Listing < 1.27 - Unauthenticated Reflected XSS
  • Kormosala – Job Board < 1.0.23 - Unauthenticated Reflected XSS
  • Findus - Directory Listing < 1.1.15 - Authenticated Persistent XSS
  • InJob < 3.4.1 - Authenticated Reflected Cross-Site Scripting (XSS)
  • Travel Booking < 2.8.4 - Unauthenticated Cross-Site Scripting (XSS)
  • Travel Booking < 2.8.4 - Unauthenticated SQL Injection
  • Monalisa < 2.1.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Careerfy < 4.1.0 - Multiple Cross-Site Scripting (XSS) Issues
  • CareerUp < 2.3.1 - Unauthenticated Reflected Cross-Site Scripting

結構ありますね。日々、アップデートが来ていないかの確認は必要かと思います。

前回の情報はこちら