2020年11月15日〜12月24日迄の間に2件3つの脆弱性が公表されています。

  1. JVN#94245475
    2020/11/18
    Movable Type Premium
    クロスサイトスクリプティングの脆弱性
    http://jvn.jp/jp/JVN94245475/
  2. JVN#24457594
    2020/12/03
    EC-CUBE
    クリックジャッキングの脆弱性
    http://jvn.jp/jp/JVN24457594/
  3. JVN#24457594
    2020/12/03
    EC-CUBE
    不適切な入力確認の脆弱性
    http://jvn.jp/jp/JVN24457594/

ちなみにWordPressに関してJVNに上がっていない情報も仕入れたので貼っておきます。こちらは2020年11月分になります。

WordPress Plugin Vulnerabilities

  • BuddyPress < 6.4.0 - Lack of Capability Check on Profile Page
  • WP Google Map Plugin <= 4.1.3 - Authenticated SQL Injection
  • WPJobBoard < 5.7.0 - Unauthenticated SQL Injection
  • WPJobBoard < 5.7.0 - Unauthenticated Reflected XSS & XFS
  • Media Library Assistant < 2.90 - Authenticated Blind SQL Injection
  • Secure File Manager - Authenticated Remote Command Execution
  • WooCommerce Anti-Fraud <= 3.2 - Unauthenticated Order Status Manipulation
  • Anti-Spam by CleanTalk < 5.149 - Multiple Authenticated SQL Injections
  • Weforms <= 1.4.7 - CSV Injection
  • Easy Registration Forms <= 2.0.6 - CSV Injection
  • Import and export users and customers < 1.16.3.6 - CSV Injection
  • Contextual Related Posts < 2.9.4 - CSRF Nonce Validation Bypass
  • Fancy Product Designer < 4.5.1 - Unauthenticated Stored Cross-Site Scripting
  • [0day] AIT CSV Import / Export <= 3.0.3 - Unauthenticated Arbitrary File Upload
  • BA Book Everything < 1.3.25 - Unauthenticated Reflected XSS & XFS
  • Good LMS < 2.1.5 - Unauthenticated SQL Injection
  • Ultimate Reviews < 2.1.33 - Unauthenticated PHP Object Injection
  • Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta
  • Ultimate Member < 2.1.12 - Authenticated Privilege Escalation via Profile Update
  • Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Roles
  • Abandoned Cart Lite for WooCommerce < 5.8.3 - Unauthenticated SQL Injection
  • WooCommerce Blocks < 3.7.1 - Guest Account Creation
  • WooCommerce < 4.6.2 - Guest Account Creation
  • Welcart e-Commerce < 1.9.36 - Authenticated PHP Object Injection
  • Augmented Reality <= 1.2.0 - Unauthenticated PHP File Upload leading to RCE
  • GDPR CCPA Compliance Support < 2.4 - Unauthenticated PHP Object Injection
  • WP Activity Log < 4.1.5 - SQL Injection in External Database Module
  • AccessPress Social Icons < 1.8.1 - Authenticated SQL Injection

WordPress Theme Vulnerabilities

  • Wibar <= 1.1.8 - Authenticated Stored Cross-Site Scripting
  • Love Travel 2.0-3.8 - Unauthenticated Reflected XSS & XFS
  • Love Travel < 2.0 - Unauthenticated Reflected XSS & XFS

結構ありますね。今回のリストの中には0-dayが報告されているものもあります。日々、アップデートが来ていないかの確認は必要かと思います。

前回の情報はこちら