2021年1月18日〜2月15日迄の間に1件1つの脆弱性が公表されています。

  1. JVN#50470170
    2021/02/05
    WordPress
    クロスサイトリクエストフォージェリの脆弱性
    http://jvn.jp/jp/JVN50470170/
    Name Directoryプラグイン

ちなみにWordPressに関してJVNに上がっていない情報も仕入れたので貼っておきます。こちらは2021年1月分になります。

WordPress Plugin Vulnerabilities

  • Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection
  • Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
  • Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
  • Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)
  • Super Forms <= 4.9.602 - Unauthenticated PHP4 File Upload to RCE
  • uListing < 1.7 - Unauthenticated Arbitrary Post/Page Deletion
  • uListing < 1.7 - Unauthenticated SQL Injections
  • uListing < 1.7 - Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
  • uListing < 1.7 - Unauthenticated Information Disclosure
  • uListing < 1.7 - Unauthenticated WordPress Options Change
  • uListing < 1.7 - Unauthenticated Arbitrary Account Change
  • uListing < 1.7 - Unauthenticated Arbitrary Account Creation
  • Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection
  • Doneren met Mollie < 2.8.5 - Unauthorised CSV Export leading to Sensitive Data Disclosure
  • Contact Form 7 Database Addon < 1.2.5.4 - Authenticated SQL Injections
  • Digital Climate Strike WP <= 1.0.0 - Redirect to Malicious Website due to Compromised JS Asset
  • Under Construction < 3.86 - Authenticated Stored Cross-Site Scripting (XSS)
  • Stockdio Historical Chart < 2.8.1 - Reflected Cross-Site Scripting (XSS)
  • 123ContactForm for WordPress <= 1.5.6 - Unauthenticated Arbitrary File Upload
  • 123ContactForm for WordPress <= 1.5.6 - Unauthenticated Arbitrary Post Creation
  • 123ContactForm for WordPress <= 1.5.6 - Validation Bypass via Plugin Verification
  • e-signature < 1.5.6.8 - Unauthenticated Arbitrary File Upload leading to RCE
  • WP Shieldon 1.6.3 - Unauthenticated Cross-Site Scripting (XSS)
  • 301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection
  • Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
  • FV Flowplayer Video Player < 7.4.38.727 - Authenticated Stored Cross-Site Scripting (XSS)
  • Easy Contact Form Pro < 1.1.1.9 - Authenticated Stored Cross-Site Scripting (XSS)
  • Elementor Contact Form DB < 1.6 - Unauthenticated & Unauthorised Form Submissions Export
  • Elementor Contact Form DB < 1.6 - Plugin Settings Cross-Site Request Forgery
  • Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation
  • Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting
  • WP Quick FrontEnd Editor <= 5.5 - Authenticated Settings Change leading to Stored XSS
  • WP Quick FrontEnd Editor <= 5.5 - Authenticated Content Injection
  • Custom Global Variables <= 1.0.5 - Stored Cross-Site Scripting (XSS)
  • Modal Survey < 2.0.1.8.2 - Authenticated PHP Object Injection
  • Modal Survey < 2.0.1.8.2 - Unauthenticated Arbitrary Survey Update, Deletion and Creation
  • Modal Survey < 2.0.1.8.2 - Authenticated Reflected Cross-Site Scripting (XSS)
  • WP24 Domain Check < 1.6.3 - Authenticated Stored Cross-Site Scripting (XSS)
  • Advanced Custom Fields < 5.8.12 - Cross-Site Scripting in Select2 dropdowns
  • Elementor < 3.0.14 - SVG Upload Allowed by Default
  • Stripe Payments < 2.0.40 - Authenticated Stored Cross-Site Scripting (XSS)
  • WP Paginate < 2.1.4 - Authenticated Stored Cross-Site Scripting (XSS)
  • Contact Form Submissions <= 1.6.4 - Authenticated SQL Injection
  • Contact Form Submissions <= 1.6.4 - Authenticated Double Query SQL injection

結構ありますね。日々、アップデートが来ていないかの確認は必要かと思います。

前回の情報はこちら