2020年12月25日〜2021年1月19日迄の間に公表された脆弱性はありませんでした。

ちなみにWordPressに関してJVNに上がっていない情報も仕入れたので貼っておきます。こちらは2020年12月分になります。

WordPress Plugin Vulnerabilities

  • Site Offline < 1.4.4 - Multiple Cross-Site Request Forgery
  • Newsletter Manager <= 1.5.1 - Unauthenticated Insecure Deserialisation
  • LiteSpeed Cache < 3.6.1 - Authenticated Stored Cross-Site Scripting
  • WP Postratings < 1.86.1 - Authenticated Stored Cross-Site Scripting
  • Envira Gallery Lite < 1.8.3.3 - Authenticated Stored Cross-Site Scripting
  • Simple Social Buttons < 3.2.1 - Unauthenticated Reflected Cross-Site Scripting
  • Simple Social Buttons < 3.2.0 - Reflected Cross-Site Scripting
  • Contact Form 7 < 5.3.2 - Unrestricted File Upload
  • Redux Framework 4.1.22 - 4.1.23 - CSRF Nonce Validation Bypass
  • Redux Framework < 4.1.21 - CSRF Nonce Validation Bypass
  • Limit Login Attempts Reloaded < 2.17.4 - Login Rate Limiting Bypass
  • Limit Login Attempts Reloaded < 2.16.0 - Authenticated Reflected Cross-Site Scripting
  • Total Upkeep by BoldGrid < 1.14.10 - Unauthenticated Backup Download
  • Total Upkeep by BoldGrid < 1.14.10 - Sensitive Data Disclosure (Server IP Address, UID etc)
  • Directories Pro < 1.3.46 - Authenticated Self-Reflected Cross-Site Scripting
  • Directories Pro < 1.3.46 - Authenticated Reflected Cross-Site Scripting
  • Ultimate Category Excluder < 1.2 - Cross-Site Request Forgery
  • Pagelayer < 1.3.5 - Multiple Reflected Cross-Site Scripting (XSS)
  • DiveBook <= 1.1.4 - Unauthenticated SQL Injection
  • DiveBook <= 1.1.4 - Unauthenticated Reflected XSS
  • DiveBook <= 1.1.4 - Improper Authorisation Check
  • Easy WP SMTP < 1.4.3 - Debug Log Disclosure
  • Themify Portfolio Post < 1.1.6 - Authenticated Stored Cross-Site Scripting
  • Profile Builder & Profile Builder Pro < 3.3.3 - Authenticated Blind SQL Injection

WordPress Theme Vulnerabilities

  • ListingPro < 2.6.1 - Unauthenticated Sensitive Data Disclosure (Usernames, Emails etc)
  • ListingPro < 2.6.1 - Unauthenticated Arbitrary Plugin Installation/Activation/Deactivation

相変わらず結構ありますね。ちなみに、このリストは今月のメルマガのトップ記事で紹介した「WPScan」でのチェックに使われている情報になります。

前回の情報はこちら