札幌市内で情報システム関連の企画提案・開発・構築・運用および顧問業務を行っております

CMSの脆弱性情報

  • HOME »
  • CMSの脆弱性情報

2021年5月19日〜6月15日迄の間に7件7つの脆弱性が公表されています。

  1. JVN#70566757
    2021/06/11
    WordPress
    クロスサイトスクリプティング
    http://jvn.jp/jp/JVN70566757/
    Welcart e-Commerce
  2. JVN#79254445
    2021/06/15
    EC-CUBE
    クロスサイトスクリプティング
    http://jvn.jp/jp/JVN79254445/
    配送伝票番号プラグイン(3.0系)
  3. JVN#79254445
    2021/06/15
    EC-CUBE
    クロスサイトスクリプティング
    http://jvn.jp/jp/JVN79254445/
    配送伝票番号csv一括登録プラグイン(3.0系)
  4. JVN#79254445
    2021/06/15
    EC-CUBE
    クロスサイトスクリプティング
    http://jvn.jp/jp/JVN79254445/
    配送伝票番号メールプラグイン(3.0系)
  5. JVN#57524494
    2021/06/15
    EC-CUBE
    クロスサイトスクリプティング
    http://jvn.jp/jp/JVN57524494/
    EC-CUBE3.0用プラグイン「帳票出力プラグイン」
  6. JVN#57524494
    2021/06/15
    EC-CUBE
    クロスサイトスクリプティング
    http://jvn.jp/jp/JVN57524494/
    EC-CUBE3.0用プラグイン「メルマガ管理プラグイン」
  7. JVN#57524494
    2021/06/15
    EC-CUBE
    クロスサイトスクリプティング
    http://jvn.jp/jp/JVN57524494/
    EC-CUBE3.0用プラグイン「カテゴリコンテンツプラグイン」

ちなみにWordPressに関してJVNに上がっていない情報も仕入れたので貼っておきます。こちらは2021年5月分になります。

WordPress Core Vulnerabilities

  • WordPress 3.7 to 5.7.1 – Object Injection in PHPMailer

WordPress Plugin Vulnerabilities

  • FooGallery < 2.0.35 - Authenticated Stored Cross-Site Scripting
  • Yes/No Chart < 1.0.12 - Authenticated (contributor+) Blind SQL Injection
  • The Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect
  • The Plus Addons for Elementor Page Builder < 4.1.11 - Arbitrary Reset Pwd Email Sending
  • The Plus Addons for Elementor < 4.1.12 - Reflected Cross-Site Scripting (XSS)
  • NinjaFirewall < 4.3.4 - Authenticated (admin+) PHAR Deserialization
  • Xllentech English Islamic Calendar < 2.6.8 - Authenticated SQL Injection
  • Side Menu < 3.1.5 - Authenticated (admin+) SQL Injection
  • Stock in & out <= 1.0.4 - Reflected Cross-Site Scripting (XSS)
  • Sendit WP Newsletter <= 2.5.1 - Authenticated (admin+) SQL Injection
  • Visitors <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
  • Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Arbitrary Plugin Activation
  • Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Update and Retrieve Wildcard Value
  • Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Arbitrary Plugin Installation
  • Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Unauthenticated Redirect Import
  • Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Unauthenticated Redirect Export
  • Gallery From Files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)
  • Gallery From Files <= 1.6.0 - Unauthenticated RCE
  • Multivendor Marketplace Solution for WooCommerce < 3.7.4 - Unauthenticated Arbitrary Product Comment
  • Cookie Law Bar <= 1.2.1 - Authenticated Stored Cross-Site Scripting (XSS)
  • SP Project & Document Manager <= 4.21 - Authenticated Shell Upload
  • Easy Preloader <= 1.0.0 - Authenticated Stored Cross-Site Scripting (XSS)
  • iFlyChat – WordPress Chat <= 4.6.4 - Authenticated Stored Cross-Site Scripting (XSS)
  • Video Embed <= 1.0 - Authenticated (subscriber+) SQL Injection
  • FlightLog <= 3.0.2 - Authenticated (editor+) SQL Injection
  • WP Statistics < 13.0.8 - Unauthenticated SQL Injection
  • WP Prayer < 1.6.2 - Authenticated Stored Cross-Site Scripting (XSS)
  • CM Registration Pro < 3.2.1 - PHP Object Injection
  • Instant Images WordPress Plugin < 4.4.0.1 - Authenticated Stored XSS & XFS
  • Smooth Scroll Page Up/Down Buttons < 1.4 - Authenticated Stored XSS
  • Funnel Builder by CartFlows < 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID
  • Database Backup for WordPress < 2.4 - Authenticated Persistent Cross-Site Scripting (XSS)
  • WP Super Cache < 1.7.3 - Authenticated Remote Code Execution
  • External Media < 1.0.34 - Authenticated Arbitrary File Upload
  • Weekly Schedule < 3.4.3 - Authenticated Stored XSS
  • Photo Gallery < 1.5.67 - Authenticated Stored Cross-Site Scripting via Gallery Title
  • LifterLMS < 4.21.1 - Reflected Cross-Site Scripting (XSS) via Coupon Code in Checkout
  • LifterLMS < 4.21.1 - Authenticated Stored XSS in Edit Profile
  • All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize
  • ReDi Restaurant Reservations < 21.0426 - Unauthenticated Stored Cross-Site Scripting (XSS)
  • Simple Giveaways < 2.36.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
  • ThemeHigh WooCommerce Wishlist and Comparison < 1.0.5 - Unauthorised AJAX call
  • Zlick Paywall < 2.2.2 - CSRF Bypasses
  • Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS)
  • Ultimate Member < 2.1.20 - Authenticated Reflected Cross-Site Scripting (XSS)
  • UltimateWoo <= 0.1.10 - PHP Object Injection
  • DSGVO All in one for WP < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
  • Leads-5050 Visitor Insights < 1.0.4 - Unauthenticated License Change
  • Leads-5050 Visitor Insights < 1.1.0 - Unauthorised License Change
  • PickPlugins Product Slider for WooCommerce < 1.13.22 - Reflected Cross-Site Scripting (XSS)
  • Target First Plugin 2.0 – Unauthenticated Stored XSS via Licence Key
  • Hana Flv Player <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)
  • Parcel Tracker eCourier < 1.0.2 - Plugin's Settings Update via CSRF
  • Ship To Ecourier < 1.0.2 - Plugin's Settings Update via CSRF
  • Simple Admin Language Change < 2.0.2 - Arbitrary User Locale Change
  • Hotjar Connecticator <= 1.1.1 - Authenticated Stored Cross-Site Scripting (XSS)
  • WP Customer Reviews < 3.5.6 - Authenticated Stored Cross-Site Scripting (XSS)
  • Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 - Unauthenticated Blind SQL Injection

WordPress Theme Vulnerabilities

  • JNews < 8.0.6 - Reflected Cross-Site Scripting (XSS)
  • Car Repair Services < 4.0 - Unauthenticated Reflected XSS & XFS
  • Mediumish <= 1.0.47 - Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Listeo < 1.6.11 - Multiple XSS & XFS vulnerabilities
  • Listeo < 1.6.11 - Multiple Authenticated IDOR Vulnerabilities
  • Bello < 1.6.0 - Authenticated Cross-Site Scripting (XSS) and XFS
  • Bello < 1.6.0 - Unauthenticated Reflected XSS & XFS
  • Bello < 1.6.0 - Unauthenticated Blind SQL Injection
  • Goto < 2.1 - Reflected Cross-Site Scripting (XSS)

結構ありますね。日々、アップデートが来ていないかの確認は必要かと思います。

前回の情報はこちら

お気軽にお問い合わせください

PAGETOP
Powered by WordPress & BizVektor Theme by Vektor,Inc. technology.