68 plugins do WordPress podem deixar seu site em risco!

A lista acaba de ser divulgada pelo iThemes, que divulgou o relatório atualizado e tido como a quinta parte. A vulnerabilidade atinge 68 plugins para o WordPress, mas algumas empresas lançaram atualizações recentes. Desta forma, caso você tenha algum plugin da lista, fique atento as versões as quais as correções foram lançadas. Mas, nem tudo são flores, alguns plugins até o momento não lançaram nenhuma correção.

Lista dos 68 plugins WordPress com vulnerabilidades!

• 1. Comments – wpDiscuz
• 2. Page Generator
• 3. WordPress to Hootsuite
• 4. WordPress to Buffer
• 5. Gutenberg PDF Viewer Block
• 6. YITH WooCommerce Product Add-Ons
• 7. To Top
• 7. Header Enhancement
• 8. Generate Child Theme
• 9. Essential Content Types
• 9. Catch Web Tools
• 10. Essential Widgets
• 11. Catch Under Construction
• 12. Catch Themes Demo Import
• 13. Catch Sticky Menu
• 14. Catch Scroll Progress Bar
• 15. Social Gallery and Widget
• 16. Catch Infinite Scroll
• 17. Catch Import Export
• 18. Catch Gallery
• 19. Catch Duplicate Switcher
• 20. Catch Breadcrumb
• 21. Catch IDs
• 22. Tutor LMS
• 23. WP Import Export Lite
• 24. One User Avatar
• 25. Scroll Baner
• 26. WP Ticket
• 27. GamePress
• 28. Wechat Reward
• 29. Sociable
• 30. BetterDocs
• 31. Multiple WooCommerce Add-Ons – multiple plugins
• 32. WP Cookie Choice
• 33. Easy Twitter Feed
• 34. Html5 Audio Player
• 35. Polo Video Gallery
• 36. StreamCast
• 37. PDF Light Viewer
• 38. MainWP Child Reports
• 39. LearnPress
• 40. OptinMonster
• 41. Frontend Uploader
• 42. Allow REL= and HTML in Author Bios
• 43. WP HTML Author Bio
• 44. jQuery Reply to Comment
• 45. Video Gallery – Vimeo and YouTube Gallery
• 46. Request a Quote
• 47. St Daily Tip
• 48. Advance Search
• 49. WP Mega Menu
• 50. Cherry Plugin
• 51. WP Job Manager
• 52. WP Mobile Detector
• 53. Telefication
• 54. Game Server Status
• 55. Responsive WordPress Slider
• 56. Fetch Tweets
• 57. WooCommerce
• 58. WooCommerce Admin
• 59. YT Player
• 60. Cookie Bar
• 61. WP User Manager
• 62. Easy Media Download
• 63. Ninja Forms
• 64. 3DPrint Lite
• 65. iQ Block Country
• 66. WordPress Popular Posts
• 67. Custom Dashboard & Login Page
• 68. Bug Library

Plugins WordPress que estão vulneravéis e que NÃO foram corrigidas!

Note que a lista pode ser atualizada a qualquer momento por nós. No entanto, até o momento não houve nenhuma mudança ou informação dos desenvolvedores dos plugins abaixo para resolver os problemas destacados.

Plugin: YITH WooCommerce Product Add-Ons

Plugin: YITH WooCommerce Product Add-Ons
Vulnerability: Authenticated Local File Inclusion
Patched in Version: 2.1.0
Severity Score: Medium

Plugin:YITH WooCommerce Product Add-Ons
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.1.0
SeverityScore: High

Plugin: Scroll Baner 

Plugin:Scroll Baner 
Vulnerability: CSRF to RCE
Patched in Version: no known fix
SeverityScore: Critical

Plugin: GamePress

Plugin:GamePress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix
SeverityScore: High

Plugin Wechat Reward

Plugin:Wechat Reward
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: no known fix
SeverityScore: High

Plugin: Sociable

Plugin:Sociable
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: no known fix
SeverityScore: Low

Plugin: WP Cookie Choice

Plugin: WP Cookie Choice
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: no known fix
SeverityScore: High

Plugin: Polo Video Gallery

Plugin:Polo Video Gallery
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed
SeverityScore: Medium

Plugin: Frontend Uploader

Plugin: Frontend Uploader
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed
SeverityScore: Medium

Plugin:Allow REL= and HTML in Author Bios – WordPress plugin | WordPress.org

Plugin:Allow REL= and HTML in Author Bios – WordPress plugin | WordPress.org
Vulnerability: Author+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed
SeverityScore: Medium

Plugin:WP HTML Author Bio

Plugin:WP HTML Author Bio
Vulnerability: Author+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed
SeverityScore: Medium

Plugin: jQuery Reply to Comment 

Plugin:jQuery Reply to Comment 
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed
SeverityScore: High

Plugin: Video Gallery – Vimeo and YouTube Gallery

Plugin: Video Gallery – Vimeo and YouTube Gallery
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed
SeverityScore: Low

Plugin: St Daily Tip

Plugin:St Daily Tip
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed
SeverityScore: High

Plugin: WP Mobile Detector

Plugin:WP Mobile Detector
Vulnerability: Unauthenticated Arbitrary File Upload
Patched in Version: 3.6
SeverityScore: Critical

Plugin: Telefication

Plugin:Telefication
Vulnerability: Open Relay & Server-Side Request Forgery
Patched in Version: no known fix – plugin closed
SeverityScore: Medium

Plugin: Game Server Status 

Plugin: Game Server Status 
Vulnerability: Contributor+ SQL Injection
Patched in Version: no known fix – plugin closed
Severity Score: High

Plugin: Game Server Status 
Vulnerability: Admin+ SQL Injection
Patched in Version: no known fix – plugin closed
Severity Score: Medium

Plugin: Game Server Status 
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed
Severity Score: Low

Plugin: Responsive WordPress Slider

Plugin: Responsive WordPress Slider
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed
Severity Score: Critical

Plugin: Responsive WordPress Slider
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix – plugin closed
Severity Score: Critical

Plugin: Fetch Tweets

Plugin:Fetch Tweets
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix – plugin closed
SeverityScore: High

Plugin: Cookie Bar

Plugin:Cookie Bar
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed
SeverityScore: Low

Plugin: 3DPrint Lite

Plugin:3DPrint Lite
Vulnerability: Unauthenticated Arbitrary File Upload
Patched in Version: no known fix – plugin closed
SeverityScore: Critical

Agora que você já viu a lista de quem tinha a vulnerabilidade e também a lista dos plugins WordPress que ainda não a corrigiram, segue uma recomendação. Primeiro, observe se há uma alternativa ao plugin vulnerável, depois tente enviar e-mail para o desenvolvedor resolver o problema. Por fim, caso não tenha alternativas, pense que talvez seja o momento de contratar um plugin WordPress de segurança.

Fonte: iThemes