2020年7月14日〜8月15日迄の間に1件1つの脆弱性が公表されています。
- JVN#05502028
2020/07/22
WordPress
クロスサイトリクエストフォージェリの脆弱性
https://jvn.jp/jp/JVN05502028/
Social Sharing Plugin
プラグインは要注意ですね。
ちなみにWordPressに関してはJVNに上がっていない情報も仕入れたので貼っておきます。こちらは2020年7月分になります。
WordPress Plugin Vulnerabilities
- Quiz And Survey Master < 7.0.0 - Authenticated Stored Cross-Site Scripting (XSS)
- Gallery PhotoBlocks < 1.2.0 - Authenticated Cross-Site Scripting (XSS)
- Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
- WooCommerce Subscriptions < 2.6.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
- JobSearch < 1.5.6 - Unauthenticated Reflected XSS
- Social Sharing Plugin < 1.2.10 - Cross-Site Request Forgery in Settings
- TC Custom JavaScript < 1.2.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
- JobSearch < 1.5.5 - Unauthenticated Reflected Cross-Site Scripting
- Email Subscribers & Newsletters < 4.5.1 - Authenticated SQL injection in es_newsletters_settings_callback()
- Email Subscribers & Newsletters < 4.5.1 - Cross-site Request Forgery in send_test_email()
- All in One SEO Pack < 3.6.2 - Authenticated Stored Cross-Site Scripting
- Email Verification for WooCommerce < 1.8.2 - Loose Comparison to Authentication Bypass
- SendPress Newsletter < 1.20.7.13 - Authenticated Stored Cross-Site Scripting (XSS)
- Form Maker by 10Web < 1.13.40 - Authenticated Reflected XSS
- Newsletter < 6.7.7 - Authenticated Stored Cross-Site Scripting
- WP-Live Chat by 3CX < 8.2.0 - Authenticated Stored Cross-Site Scripting
- SRS Simple Hits Counter <= 1.0.4 - Unauthenticated Blind SQL Injection
- Powie's WHOIS Domain Check < 0.9.33 - Authenticated Stored Cross-Site Scripting
- Wise Chat < 2.8.4 - CSV Injection
- Knight Lab Timeline < 3.7.0.0 - Outdated TimelineJS library could Lead to Stored XSS
- KingComposer < 2.9.5 - Unauthenticated Reflected Cross-Site Scripting
- Adning Advertising < 1.5.6 - Unauthenticated Arbitrary File Upload/Deletion
- Security & Malware scan by CleanTalk < 2.51 - Security Nonce Leak leading to Unauthorised AJAX call
- JobSearch < 1.5.3 - Multiple Cross-Site Scripting Issues
- Testimonials Widget <= 3.5.1 - Multiple Authenticated Stored (XSS)
- Payment Form For Paypal Pro < 1.1.65 - Unauthenticated SQL Injection
- WPForms < 1.6.0.2 - Authenticated Stored Cross-Site Scripting (XSS)
WordPress Theme Vulnerabilities
- JobCareer < 3.5 - Multiple Cross-Site Scripting (XSS)
- Reality < 2.5.6 - Multiple Reflected Cross-Site Scripting (XSS)
- Real Estate 7 < 3.0.4 - Unauthenticated Reflected XSS
- CarePlus <= 1.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
- Careerfy < 4.4.0 - Unauthenticated Reflected XSS
- Careerfy < 4.3.0 - Unauthenticated Reflected Cross-Site Scripting
- Golo < 1.3.3 - Unauthenticated Reflected XSS
- Jetapo < 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
- Workio – Job Board < 1.0.3 - Unauthenticated Reflected XSS
- Workup – Job Board < 2.1.6 - Unauthenticated Reflected XSS
- Findgo - Directory Listing < 1.3.32 - Unauthenticated Reflected and Authenticated Stored XSS
- Prolisting - Directory Listing < 1.27 - Unauthenticated Reflected XSS
- Kormosala – Job Board < 1.0.23 - Unauthenticated Reflected XSS
- Findus - Directory Listing < 1.1.15 - Authenticated Persistent XSS
- InJob < 3.4.1 - Authenticated Reflected Cross-Site Scripting (XSS)
- Travel Booking < 2.8.4 - Unauthenticated Cross-Site Scripting (XSS)
- Travel Booking < 2.8.4 - Unauthenticated SQL Injection
- Monalisa < 2.1.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
- Careerfy < 4.1.0 - Multiple Cross-Site Scripting (XSS) Issues
- CareerUp < 2.3.1 - Unauthenticated Reflected Cross-Site Scripting
結構ありますね。日々、アップデートが来ていないかの確認は必要かと思います。
前回の情報はこちら。