31 Mar WordPress vulnérabilités mars 2020
- Strong Testimonials < 2.40.1 – Stored Cross Site Scripting (XSS)
- Tutor LMS < 1.5.3 – Cross-Site Request Forgery (CSRF)
- Htaccess by BestWebSoft < 1.8.2 – CSRF to edit .htaccess
- Ultimate Membership Pro < 8.6.1 – Multiple Critical Vulnerabilities
- Events Manager < 5.9.7.2 – CSV Injection
- Events Manager Pro < 2.6.7.2 – CSV Injection
- Profile Builder and Profile Builder Pro < 3.1.1 – User Registration With Administrator Role
- Participants Database < 1.9.5.6 – Authenticated Time Based SQL Injection
- GDPR Cookie Consent < 1.8.3 – Improper Access Controls
- Ninja Forms < 3.4.23 – CSRF to Stored Cross-Site Scripting (XSS) Issues
- ThemeGrill Demo Importer < 1.6.3 – Auth Bypass & Database Wipe
- Popup Builder < 3.0 – SQL injection via PHP Deserialization
- wpCentral < 1.5.1 – Improper Access Control to Privilege Escalation
- Easy Property Listings < 3.4 – Cross-Site Request Forgery (CSRF)
- ThemeREX Addons – Remote Code Execution
- Modula Image Gallery < 2.2.5 – Authenticated Stored Cross-Site Scripting (XSS)
- Duplicator 1.3.24 & 1.3.26 – Unauthenticated Arbitrary File Download
- Chained Quiz < 1.1.9.1 – Authenticated Stored XSS
- Fruitful Theme < 3.8.1 – Unauthenticated Reflected Cross-Site Scripting (XSS)
- Ultimate Membership Pro < 8.6.2 – Multiple CSRF Issues via AJAX Calls, Insufficient Filename Entropy
- Ultimate Membership Pro < 8.7 – Cross-Site Request Forgery allowing Arbitrary Account Deletion and Creation
- Photo Gallery < 1.5.46 – Multiple Cross-Site Scripting (XSS) Issues
- Envira Photo Gallery < 1.7.7 – Authenticated Stored Cross-Site Scripting (XSS) Issue
- Pricing Table by Supsystic < 1.8.2 – Insecure Permissions on AJAX Actions
- Pricing Table by Supsystic < 1.8.2 – Unauthenticated Stored XSS
- Pricing Table by Supsystic < 1.8.1 – Cross-Site Request Forgery to XSS and Setting Changes
- Flexible Checkout Fields for WooCommerce < 2.3.2 – Unauthenticated Settings Update
- Export Users to CSV <= 1.4.2 – CSV Injection
- Hero Maps Premium < 2.2.3 – Unauthenticated Reflected Cross-Site Scripting (XSS)
- wpdefault – Backdoor Plugin
- CardGate < 3.1.16 – Unauthorised Payments Hijacking and Order Status Spoofing
- Async Javascript < 2.20.02.27 – Subscriber+ Stored XSS via Plugin Settings Change
- 10Web Map Builder for Google Maps < 1.0.64 – Unauthenticated Stored XSS via Plugin Settings Change
- Modern Events Calendar Lite < 5.1.7 – Multiple Subscriber+ Stored XSS
