Failles de sécurité Plugins Thèmes WordPress semaine 19

WP Serveur vous informe des dernières failles de sécurité plugins et thèmes WordPress connues :

Plugins WordPress

  • Yoast SEO <= 3.2.4 - Subscriber Settings Sensitive Data Exposure
  • Ninja Forms 2.9.36 to 2.9.42 - Multiple Vulnerabilities
  • Ghost Plugin <= 0.5.5 - Unrestricted Export Download
  • bbPress <= 2.5.8 - Stored Cross-Site Scripting (XSS)
  • Advanced Custom Fields <= 4.4.7 - Authenticated Cross-Site Scripting (XSS)
  • MainWP <= 3.1.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
  • Simple Photo Gallery <= 1.8.0 - Stored Cross-Site Scripting (XSS)

 

Thèmes WordPress

  • Truemag Theme - Unauthenticated Reflected Cross-Site Scripting (XSS)
  • ScoreMe Theme - Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Beauty Theme 1.0.8 - Arbitrary File Upload
  • Antioch Theme - Arbitrary File Download
  • epic Theme - Arbitrary File Download
  • Good News Themes - Reflected Cross-Site Scripting (XSS)

 

Failles WordPress

  • WordPress 4.2-4.5.1 - Pupload Same Origin Method Execution (SOME)
  • WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
  • WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
  • WordPress <= 4.4.2 - Reflected XSS in Network Settings
  • WordPress <= 4.4.2 - Script Compression Option CSRF

 

Nous vous conseillons vivement de vérifier les mises à jour de ces plugins/thèmes. S'il n'y a pas de patch à jour, nous vous conseillons purement et simplement de les supprimer au plus vite de votre installation WordPress!

Attention, mettez à jour votre WordPress en 4.5.2
Nous vous conseillons de faire la mise à jour de WordPress 4.5.2 dès que possible, il s'agit d'une mise à jour de sécurité importante. En savoir plus

Attention aux détenteurs d'un compte chez Templatic

Templatic à subit un important piratage ce week end, vous pouvez retrouver leur lettre d'information (en Anglais) ci-dessous:

 

Dear templatic customer,
Let me start by saying that templatic has never ever stored any credit card information on our site. All the transactions are only ever handled directly by PayPal or 2Checkout. Our site is only integrated with the above secure payment gateways so your financial data is always safe and never stored by us. In fact, we never had access to your credit card or financial information. Now I will go into detail and share what's happened.
Our site was hacked recently
As announced on our social media accounts a few hours ago, our site was recently hacked and our databases compromised. It looks like the hacker may have gained access to our files and databases on our server. We are actively working with sucuri.net to clean and protect the site.
Hacker is demanding ransom money
The hacker is now threatening us via email and demanding ransom money be paid. This hacker is also threatening to misuse the data they've illegally gained access to and email our data to customers. While this is a very serious and dangerous threat, we are not going to give in to threats and we will not be negotiating with any hacker and that's no matter how much they try. A security expert has been assigned to this case and investigations are now being conducted. We are also taking legal action against all the illegal activities the hacker has been involved in.
What you must do immediately
If you ever shared your site login information with us such as for your cPanel, FTP or wp-admin, you should immediately change the logins.
If you are using any of our products that use the "Tevolution" plugin and you haven't yet updated the plugin, please follow the instructions in this post (https://templatic.com/…/security-vulnerability-found-themes/) and update the plugin immediately.
Make sure no unknown files are present on your site. We strongly advise you to scan your site now by using security sites such as sucuri.net
In case you are using the same email ID and password for your email account and your account at templatic, you must also change the logins for your email immediately.
Please take a full backup of your site and database.
You might receive fake emails pretending to be “templatic” or exposing data.

 

  • Si vous avez un compte chez eux, nous vous invitons donc vivement à les contacter, ou au moins changer vos identifiants rapidement.
  • Si vous utilisez le même mot de passe, sur votre adresse email que sur votre compte Templatic, vous devez absolument le changer.
  • Si vous leur avez transmis des informations de connexion à votre serveur, votre FTP, votre WordPress, ou autre, vous devez absolument les changer.

Pour toute information complémentaire, vous pouvez les contacter directement.

Envie d'un WordPress mieux sécurisé ?