Marc-Alexandre Montpas

**Nome do software vulnerável e versões afetadas** Plugin SiteGround Optimizer para versões do WordPress até 5.0.12 Caldera Forms em versões anteriores à última atualização **Descrição** A vulnerabilidade está relacionada à contornamento de autorização, levando à execução remota de código e à inclusão de arquivos locais. Isso se deve ao uso incorreto de um atributo de controle de acesso na função `switch php`, chamada por meio da rota da API REST “/switch-php”. Os invasores podem incluir e executar arquivos arbitrários no servidor, permitindo a execução de qualquer código PHP nesses arquivos. Isso pode ser usado para contornar controles de acesso, obter dados confidenciais ou conseguir a execução de código em casos em que imagens e outros tipos de arquivos “seguros” possam ser carregados e incluídos. **Recomendações** Para o plugin SiteGround Optimizer para WordPress até a versão 5.0.12: atualize para a versão mais recente imediatamente para mitigar os riscos. Para versões do Caldera Forms anteriores à atualização mais recente: atualize para a versão mais recente imediatamente para mitigar os riscos. Como solução temporária, considere desativar a função `switch php` até que um patch esteja disponível. Restrinja o acesso ao endpoint da API vulnerável “/switch-php” para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** WordPress versions 4.7.0 through 4.7.1 **Description** The issue allows remote attackers to modify arbitrary pages. This is achieved by exploiting the `register routes` function in the REST API, which does not require an integer identifier. Attackers can send a request for `wp-json/wp/v2/posts` followed by a numeric value and a non-numeric value. For example, the `wp-json/wp/v2/posts/123?id=123helloworld` URI can be used for this purpose. **Recommendations** For WordPress versions 4.7.0 through 4.7.1, update to version 4.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.7.2 Debian (affected versions not specified) **Description** The issue concerns a problem with access restrictions in WordPress, specifically in the Press This feature. It allows remote attackers to bypass intended access restrictions by reading terms due to improper restriction of visibility of a taxonomy-assignment user interface. **Recommendations** For WordPress versions prior to 4.7.2, update to version 4.7.2 or later to resolve the issue. For Debian, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.2.4 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators for requests that lock a post, potentially causing a denial of service (editing blockage) via a 'get-post-lock' action. **Recommendations** For versions prior to 4.2.4, update to version 4.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `wp-admin/post.php` file to minimize the risk of exploitation. Avoid using the 'get-post-lock' action in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.2.4 **Description** A cross-site scripting (XSS) issue exists due to insufficient input validation in the `refreshAdvancedAccessibilityOfItem` function. This allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title. **Recommendations** For versions prior to 4.2.4, update to version 4.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `nav-menu.js` file in `wp-admin/js` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.2.4 **Description** A cross-site scripting (XSS) issue exists in the legacy theme preview implementation, allowing remote attackers to inject arbitrary web script or HTML via a crafted string. **Recommendations** For versions prior to 4.2.4, update to version 4.2.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.2.4 **Description** A cross-site scripting (XSS) issue exists in the form function in the WP Nav Menu Widget class. This allows remote attackers to inject arbitrary web script or HTML via a widget title. **Recommendations** For versions prior to 4.2.4, update to version 4.2.4 or later to resolve the issue. As a temporary workaround, consider restricting the ability to edit widget titles to trusted users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.2.4 **Description** A SQL injection issue exists due to mishandling of comments retrieved from the trash in the wp untrash post comments function. This allows remote attackers to execute arbitrary SQL commands. **Recommendations** For versions prior to 4.2.4, update to version 4.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp untrash post comments function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.2.4 **Description** The issue concerns a timing side-channel attack. It is related to the `sanitize widget instance` function, which does not use a constant-time comparison for widgets. This allows remote attackers to conduct an attack by measuring the delay before inequality is calculated. **Recommendations** For versions prior to 4.2.4, update to version 4.2.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Disqus Comment System plugin versions prior to 2.76 for WordPress **Description** The issue allows remote attackers to hijack the authentication of administrators for requests, conducting cross-site scripting (XSS) attacks. This is achieved via the `disqus replace`, `disqus public key`, or `disqus secret key` parameter to "wp-admin/edit-comments.php" in manage.php, or by resetting or deleting plugin options via the `reset` parameter to "wp-admin/edit-comments.php". **Recommendations** For Disqus Comment System plugin versions prior to 2.76, update to version 2.76 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Disqus Comment System plugin versions prior to 2.76 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `step` parameter in the upgrade.php file. **Recommendations** For versions prior to 2.76, update to version 2.76 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MailPoet Newsletters (wysija-newsletters) plugin versions prior to 2.6.7 **Description** The issue allows remote attackers to bypass authentication and execute arbitrary PHP code. This is achieved by uploading a crafted theme using the "wp-admin/admin-post.php" endpoint and then accessing the theme in "wp-content/uploads/wysija/themes/mailp/". **Recommendations** For versions prior to 2.6.7, update to version 2.6.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-post.php" endpoint and the "wp-content/uploads/wysija/themes/mailp/" directory to minimize the risk of exploitation.