An gano wani mummunan rauni (CVE ba tukuna ba) an gano shi a cikin Ninja Forms WordPress add-on, wanda ke da kayan aiki fiye da miliyan guda, yana ba da izini baƙo don samun cikakken iko na shafin. An warware batun a cikin sakin 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, da 3.6.11. An lura cewa an riga an yi amfani da raunin don kai hare-hare da kuma toshe matsalar cikin gaggawa, masu haɓaka dandalin WordPress sun fara tilasta shigar da sabuntawa ta atomatik akan shafukan masu amfani.
Rashin lahani yana haifar da kuskuren aiwatar da ayyukan Haɗin Tags, wanda ke ba da damar masu amfani da ba su da tabbas su kira wasu hanyoyi masu tsattsauran ra'ayi daga nau'ikan nau'ikan nau'ikan Ninja (aikin is_callable () an kira shi don bincika ko an ambaci hanyoyin a cikin bayanan da aka wuce ta hanyar haɗin gwiwa. Tags). Daga cikin wasu abubuwa, yana yiwuwa a kira hanyar da ke lalata abubuwan da mai amfani ya aiko. Ta hanyar watsa bayanan da aka kera na musamman, maharin zai iya canza nasa abubuwan kuma ya cimma aiwatar da lambar PHP akan sabar ko share fayiloli na sabani a cikin kundin adireshi tare da bayanan rukunin yanar gizo.
source: budenet.ru