WordPress AMP plugin vulnerability cuam tshuam txog 100,000 qhov chaw
Cov nplooj ntawv nrawm nrawm (AMP) WordPress WordPress AMP plugin plugin,
uas muaj ntau dua 100,000 kev teeb tsa,
kho qhov muaj qhov tsis zoo me ntsis uas tuaj yeem tso cai rau tus neeg tawm tsam
los txhaj cov ntawv tsis zoo, ua rau cov neeg tuaj xyuas lub vev xaib ua cov ntawv sau.
Hla-site scripting nres ntawm Shortcode
Hla-site scripting (XSS) yog ib qho ntawm qhov tsis zoo tshaj plaws.
Nyob rau hauv cov ntsiab lus ntawm WordPress AMP plugin WordPress plugins,
XSS vulnerabilities feem ntau tshwm sim thaum lub plugin inputs cov ntaub ntawv
nyob rau hauv ib co txoj kev uas tsis tag nrho validated los yog sanitized los ntawm cov neeg siv tswv yim.
Sanitization yog ib txoj hauv kev los thaiv cov khoom siv tsis xav tau
Piv txwv li, yog tias lub plugin tso cai lub teb chaws email list rau cov neeg siv ntxiv cov ntawv los ntawm qhov chaw nkag,
nws yuav tsum ua kom huv si lwm cov ntsiab lus tsis cuam tshuam nkag mus rau hauv daim ntawv no,
xws li cov ntawv sau lossis zip cov ntaub ntawv.
Shortcode yog qhov tshwj xeeb ntawm WordPress uas tso cai rau cov neeg siv ntxig cov cim npe
zoo ib yam li [piv txwv] rau hauv cov ntawv thiab nplooj ntawv.
Shortcode embeds functionality lossis cov ntsiab WordPress AMP plugin lus muab los ntawm plug-in,
tso cai rau cov neeg siv los teeb tsa lub plug-in los ntawm admin vaj huam
sib luag thiab tom qab ntawd luam tawm thiab muab cov shortcode
rau hauv kab lus lossis nplooj ntawv uas lawv xav kom lub plug-in functionality tshwm.
Qhov Cross-site scripting ntawm
Shortcode” qhov tsis zoo yog qhov tsis txaus ntseeg kev nyab xeeb uas tso cai rau tus neeg
tawm tsam los txhaj cov ntawv tsis zoo rau hauv lub vev xaib
los ntawm kev siv cov shortcode functionality ntawm plug-in.
Raws li tsab ntawv ceeb toom tsis ntev los no tau tshaj tawm los ntawm
Patchstack WordPress tuam txhab bing muab cov lus qhia tshiab rau cov webmasters cuam tshuam nrog ai xyaw kev ruaj ntseg:
“Qhov no tuaj yeem tso cai rau cov neeg ua phem WordPress AMP plugin rau txhaj cov ntawv tsis zoo xws li redirects,
tshaj tawm thiab lwm yam HTML rau hauv koj lub vev xaib uas yuav
raug tua thaum tus qhua tuaj xyuas koj lub xaib.”
Qhov tsis zoo no tau raug kho nyob rau hauv version 1.0.89.
Wordfence piav qhia txog qhov tsis zoo:
“Lub Accelerated Mobile Pages plugin rau WordPress nyob rau hauv tag nrho cov versions,
suav nrog version 1.0.88.1, raug kev txom nyem los ntawm kev khaws cia ntawm
qhov chaw sau ntawv tawm tsam ntawm plugin’s shortcode vim tsis txaus cov
ntaub ntawv siv tau thiab cov khoom tawm tr npe khiav tawm ntawm cov neeg siv khoom.
Wordfence kuj tau qhia meej tias qhov no yog qhov muaj txiaj ntsig zoo
uas siv tau los ua pov thawj, txhais tau tias tus neeg
nyiag nkas yuav xav tau tsawg kawg tus neeg koom tes tso cai rau kev siv nws.