2021年1月18日〜2月15日迄の間に1件1つの脆弱性が公表されています。
- JVN#50470170
2021/02/05
WordPress
クロスサイトリクエストフォージェリの脆弱性
http://jvn.jp/jp/JVN50470170/
Name Directoryプラグイン
ちなみにWordPressに関してJVNに上がっていない情報も仕入れたので貼っておきます。こちらは2021年1月分になります。
WordPress Plugin Vulnerabilities
- Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection
- Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
- Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
- Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)
- Super Forms <= 4.9.602 - Unauthenticated PHP4 File Upload to RCE
- uListing < 1.7 - Unauthenticated Arbitrary Post/Page Deletion
- uListing < 1.7 - Unauthenticated SQL Injections
- uListing < 1.7 - Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
- uListing < 1.7 - Unauthenticated Information Disclosure
- uListing < 1.7 - Unauthenticated WordPress Options Change
- uListing < 1.7 - Unauthenticated Arbitrary Account Change
- uListing < 1.7 - Unauthenticated Arbitrary Account Creation
- Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection
- Doneren met Mollie < 2.8.5 - Unauthorised CSV Export leading to Sensitive Data Disclosure
- Contact Form 7 Database Addon < 1.2.5.4 - Authenticated SQL Injections
- Digital Climate Strike WP <= 1.0.0 - Redirect to Malicious Website due to Compromised JS Asset
- Under Construction < 3.86 - Authenticated Stored Cross-Site Scripting (XSS)
- Stockdio Historical Chart < 2.8.1 - Reflected Cross-Site Scripting (XSS)
- 123ContactForm for WordPress <= 1.5.6 - Unauthenticated Arbitrary File Upload
- 123ContactForm for WordPress <= 1.5.6 - Unauthenticated Arbitrary Post Creation
- 123ContactForm for WordPress <= 1.5.6 - Validation Bypass via Plugin Verification
- e-signature < 1.5.6.8 - Unauthenticated Arbitrary File Upload leading to RCE
- WP Shieldon 1.6.3 - Unauthenticated Cross-Site Scripting (XSS)
- 301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection
- Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
- FV Flowplayer Video Player < 7.4.38.727 - Authenticated Stored Cross-Site Scripting (XSS)
- Easy Contact Form Pro < 1.1.1.9 - Authenticated Stored Cross-Site Scripting (XSS)
- Elementor Contact Form DB < 1.6 - Unauthenticated & Unauthorised Form Submissions Export
- Elementor Contact Form DB < 1.6 - Plugin Settings Cross-Site Request Forgery
- Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation
- Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting
- WP Quick FrontEnd Editor <= 5.5 - Authenticated Settings Change leading to Stored XSS
- WP Quick FrontEnd Editor <= 5.5 - Authenticated Content Injection
- Custom Global Variables <= 1.0.5 - Stored Cross-Site Scripting (XSS)
- Modal Survey < 2.0.1.8.2 - Authenticated PHP Object Injection
- Modal Survey < 2.0.1.8.2 - Unauthenticated Arbitrary Survey Update, Deletion and Creation
- Modal Survey < 2.0.1.8.2 - Authenticated Reflected Cross-Site Scripting (XSS)
- WP24 Domain Check < 1.6.3 - Authenticated Stored Cross-Site Scripting (XSS)
- Advanced Custom Fields < 5.8.12 - Cross-Site Scripting in Select2 dropdowns
- Elementor < 3.0.14 - SVG Upload Allowed by Default
- Stripe Payments < 2.0.40 - Authenticated Stored Cross-Site Scripting (XSS)
- WP Paginate < 2.1.4 - Authenticated Stored Cross-Site Scripting (XSS)
- Contact Form Submissions <= 1.6.4 - Authenticated SQL Injection
- Contact Form Submissions <= 1.6.4 - Authenticated Double Query SQL injection
結構ありますね。日々、アップデートが来ていないかの確認は必要かと思います。
前回の情報はこちら。