WordPressプラグインの脆弱性情報|2024/09/10

セキュリティ担当
セキュリティ担当

先週は80件のプラグインで脆弱性が見つかっています。

脆弱性情報

危険度が高いものをピックアップしています。

リストにあるプラグインを使用している方は、アップデートしましょう。

  • FluentForm(<= 5.1.18)
    Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification vulnerability
    危険度: 4.2
  • Tutor LMS(<= 2.7.4)
    Cross-Site Request Forgery via ‘addon_enable_disable’ vulnerability
    危険度: 4.3
  • Big File Uploads(<= 2.1.2)
    Authenticated (Author+) Full Path Disclosure vulnerability
    危険度: 4.3
  • Revision Manager TMC(<= 2.8.19)
    Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending vulnerability
    危険度: 4.3
  • Frontend Post Submission Manager Lite(<= 1.2.2)
    Missing Authorization to Authenticated (Subscriber+) Settings Update vulnerability
    危険度: 4.3
  • Geo Controller(<= 8.6.9)
    Multiple Missing Authorization vulnerability
    危険度: 4.3
  • DN Popup(<= 1.2.2)
    Settings Update via CSRF vulnerability
    危険度: 4.3
  • Tourfic(<= 2.11.20)
    Cross-Site Request Forgery in Multiple Functions vulnerability
    危険度: 4.3
  • EventPrime(<= 4.0.4.3)
    Missing Authorization to Unauthenticated Private or Password-Protected Events Disclosure vulnerability
    危険度: 5.3
  • Cost Calculator Builder Pro(<= 3.1.96)
    Unauthenticated Price Manipulation vulnerability
    危険度: 5.3
  • Remember Me Controls(<= 2.0.1)
    Unauthenticated Full Path Disclosure vulnerability
    危険度: 5.3
  • S.A.F(<= 2.3.5)
    IP Address Spoofing to Protection Mechanism Bypass vulnerability
    危険度: 5.3
  • Ivory Search(<= 5.5.6)
    Information Exposure via AJAX Search Form vulnerability
    危険度: 5.3
  • Sensei LMS(< 4.24.2)
    Unauthenticated Email Template Leak vulnerability
    危険度: 5.3
  • Web Application Firewall – website security(<= 2.1.2)
    IP Address Spoofing to Protection Mechanism Bypass vulnerability
    危険度: 5.3
  • WP Cerber Security(<= 9.4)
    IP Protection Bypass vulnerability
    危険度: 5.3
  • IP Vault – WP Firewall(<= 1.1)
    IP Address Spoofing to Protection Mechanism Bypass vulnerability
    危険度: 5.3
  • AZIndex(<= 0.8.1)
    Index Deletion via CSRF vulnerability
    危険度: 5.4
  • Form Vibes – Database Manager for Forms(<= 1.4.12)
    Missing Authorization in Multiple Functions vulnerability
    危険度: 5.4
  • The Ultimate WordPress Toolkit – WP Extended(<= 3.0.8)
    Insecure Direct Object Reference vulnerability
    危険度: 5.4
  • The Ultimate WordPress Toolkit – WP Extended(<= 3.0.8)
    Missing Authorization to Admin Username Change vulnerability
    危険度: 5.4
  • The Events Calendar PRO(<= 7.0.2)
    Authenticated (Administrator+) PHP Object Injection to Remote Code Execution vulnerability
    危険度: 5.5
  • Starbox(< 3.5.2)
    Admin+ Stored XSS vulnerability
    危険度: 5.9
  • Floating Contact Button(< 2.8)
    Admin+ Stored XSS vulnerability
    危険度: 5.9
  • Community by PeepSo(<= 6.4.5.0)
    Authenticated (Administrator+) Stored Cross-Site Scripting via content Parameter vulnerability
    危険度: 5.9
  • Pocket Widget(<= 0.1.3)
    Admin+ Stored XSS vulnerability
    危険度: 5.9
  • EventON(< 2.2.17)
    Admin+ Stored XSS vulnerability
    危険度: 5.9
  • Popup Maker(< 1.19.1)
    Admin+ Stored XSS vulnerability
    危険度: 5.9
  • Preloader Plus – WordPress Loading Screen Plugin(<= 2.2.1)
    Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload vulnerability
    危険度: 5.9
  • Cab fare calculator(<= 1.1.6)
    Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
    危険度: 5.9
  • Secure Copy Content Protection and Content Locking(< 4.1.7)
    Admin+ Stored XSS vulnerability
    危険度: 5.9
  • Chatbot Support AI(<= 1.0.2)
    Admin+ Stored XSS vulnerability
    危険度: 5.9
  • Media Library Folders(<= 8.2.3)
    Missing Authorization on Various Functions vulnerability
    危険度: 6.3
  • Master Addons for Elementor(<= 2.0.6.4)
    Authenticated (Contributor+) Stored Cross-Site Scripting via data-jltma-wrapper-link Element vulnerability
    危険度: 6.5
  • Slider comparison image before and after(<= 0.8.3)
    Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
    危険度: 6.5
  • Nova Blocks by Pixelgrade(<= 2.1.7)
    Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute vulnerability
    危険度: 6.5
  • Affiliate Super Assistent(<= 1.5.3)
    Unauthenticated Arbitrary Shortcode Execution vulnerability
    危険度: 6.5
  • WP ULike(< 4.7.2.1)
    Subscriber+ Stored-XSS vulnerability
    危険度: 6.5
  • Advanced Sermons(<= 3.3)
    Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
    危険度: 6.5
  • WP AdCenter(<= 2.5.6)
    Authenticated (Contributor+) Stored Cross-Site Scripting via ad_alignment Attribute vulnerability
    危険度: 6.5
  • Content Blocks (Custom Post Widget)(<= 3.3.5)
    Cross Site Scripting (XSS) vulnerability
    危険度: 6.5
  • Dynamic Featured Image(<= 3.7.0)
    Authenticated (Contributor+) Stored Cross-Site Scripting via dfiFeatured Parameter vulnerability
    危険度: 6.5
  • Amelia(<= 1.2.3)
    Missing Authorization to Sensitive Information Exposure vulnerability
    危険度: 6.5
  • RD Station(<= 5.3.2)
    Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
    危険度: 6.5
  • Share This Image(<= 2.02)
    Authenticated (Contributor+) Stored Cross-Site Scripting via STI Buttons Shortcode vulnerability
    危険度: 6.5
  • PixelYourSite PRO(<= 10.4.2)
    Unauthenticated Information Exposure and Log Deletion vulnerability
    危険度: 6.5
  • PixelYourSite – Your smart PIXEL (TAG) Manager(<= 9.7.1)
    Unauthenticated Information Exposure and Log Deletion vulnerability
    危険度: 6.5
  • Attributes for Blocks(<= 1.0.6)
    Authenticated (Contributor+) Stored Cross-Site Scripting via attributesForBlocks Parameter vulnerability
    危険度: 6.5
  • The Ultimate WordPress Toolkit – WP Extended(<= 3.0.8)
    Authenticated (Subscriber+) Sensitive Information Exposure vulnerability
    危険度: 6.5
  • Share This Image(<= 2.01)
    Authenticated (Contributor+) Stored Cross-Site Scripting via alignment Parameter vulnerability
    危険度: 6.5
  • WPZOOM Portfolio(<= 1.4.4)
    Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute vulnerability
    危険度: 6.5
  • Customizer Export/Import(<= 0.9.7)
    Authenticated (Admin+) Arbitrary File Upload via Customization Settings Import vulnerability
    危険度: 6.6
  • AZIndex(<= 0.8.1)
    Stored XSS via CSRF vulnerability
    危険度: 7.1
  • Ninja Forms File Uploads Extension(<= 3.3.16)
    Unauthenticated Stored Cross-Site Scripting via File Upload vulnerability
    危険度: 7.1
  • Sign-up Sheets(< 2.2.13)
    Reflected XSS vulnerability
    危険度: 7.1
  • The Ultimate WordPress Toolkit – WP Extended(<= 3.0.8)
    Reflected Cross-Site Scripting via page vulnerability
    危険度: 7.1
  • Flaming Forms(<= 1.0.1)
    Reflected XSS vulnerability
    危険度: 7.1
  • Flaming Forms(<= 1.0.1)
    Unauthenticated Stored XSS vulnerability
    危険度: 7.1
  • Ninja Forms(3.8.6-3.8.10)
    Wordpress Ninja Forms plugin 3.8.6 – 3.8.10 – Reflected XSS
    危険度: 7.1
  • tagDiv Composer(<= 5.0)
    Reflected Cross-Site Scripting via envato_code[] vulnerability
    危険度: 7.1
  • Booking Calendar(<= 10.5)
    Reflected Cross-Site Scripting vulnerability
    危険度: 7.1
  • WC Marketplace(<= 4.2.0)
    Missing Authorization to Limited Vendor Privilege Escalation/Account Takeover vulnerability
    危険度: 7.3
  • Clean Login(<= 1.14.5)
    Authenticated (Contributor+) Local File Inclusion vulnerability
    危険度: 7.5
  • LifterLMS(<= 7.7.5)
    Authenticated (Admin+) SQL Injection vulnerability
    危険度: 7.6
  • The Ultimate WordPress Toolkit – WP Extended(<= 3.0.8)
    Directory Traversal to Authenticated (Subscriber+) Arbitrary File Download vulnerability
    危険度: 7.7
  • Bit File Manager(6.0-6.5.5)
    Unauthenticated Remote Code Execution via Race Condition vulnerability
    危険度: 8.1
  • Frontend Dashboard(<= 2.2.4)
    Authenticated (Subscriber+) Arbitrary Function Call vulnerability
    危険度: 8.5
  • Pinpoint Booking System(<= 2.9.9.5.0)
    WordPress Pinpoint Booking System plugin <= 2.9.9.5.0- Authenticated (Subscriber+) SQL Injection vulnerability
    危険度: 8.5
  • WP Events Manager(<= 2.1.11)
    Authenticated (Subscriber+) Time-Based SQL Injection vulnerability
    危険度: 8.5
  • Attire(<= 2.0.6)
    Authenticated (Contributor+) PHP Object Injection vulnerability
    危険度: 8.5
  • ForumWP(<= 2.0.2)
    Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover vulnerability
    危険度: 8.8
  • Newsletters(<= 4.9.9.2)
    Authenticated Privilege Escalation vulnerability
    危険度: 8.8
  • The Ultimate WordPress Toolkit – WP Extended(<= 3.0.8)
    Authenticated (Subscriber+) Arbitrary Options Update vulnerability
    危険度: 8.8
  • Viral Signup(<= 2.1)
    Unauthenticated SQLi vulnerability
    危険度: 9.3
  • WPCOM Member(<= 1.5.2.1)
    Unauthenticated Privilege Escalation via User Meta vulnerability
    危険度: 9.8
  • WP-Recall(<= 16.26.8)
    Insecure Direct Object Reference to Unauthenticated Arbitrary Password Update vulnerability
    危険度: 9.8
  • LiteSpeed Cache(< 6.5.0.1)
    Unauthenticated Account Takeover via Cookie Leak vulnerability
    危険度: 9.8
  • WP Job Portal(<= 2.1.6)
    Unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation vulnerability
    危険度: 9.8
  • Web Directory Free(< 1.7.3)
    Unauthenticated LFI vulnerability
    危険度: 9.8
  • Bit File Manager(<= 6.5.5)
    Authenticated (Subscriber+) Arbitrary File Upload vulnerability
    危険度: 9.9

危険度が低いものは表示していません。2024/09/10