Achọpụtala adịghị ike (CVE-2021-39341) na OptinMonster WordPress add-on, nke nwere ihe karịrị otu nde nrụnye na-arụ ọrụ ma jiri ya gosipụta ọkwa mmapụta na onyinye, na-enye gị ohere itinye koodu Javascript gị na saịtị. iji tinye-on a kapịrị ọnụ. Edobere adịghị ike ahụ na ntọhapụ 2.6.5. Iji gbochie ohere site na igodo weghaara mgbe ị wụnye mmelite ahụ, ndị mmepe OptinMonster wepụrụ igodo ohere API niile emeburu na agbakwunyere mgbochi na iji igodo saịtị WordPress gbanwee mkpọsa OptinMonster.
Ihe kpatara nsogbu a bụ ọnụnọ nke REST-API /wp-json/omapp/v1/support, nke enwere ike ịnweta na-enweghị nkwenye - e mezuru arịrịọ ahụ na-enweghị nyocha ọzọ ma ọ bụrụ na onye isi nchịkwa nwere eriri "https://wp. .app.optinmonster.test" na mgbe ị na-edozi ụdị arịrịọ HTTP ka ọ bụrụ "Nhọrọ" (nke isi HTTP "X-HTTP-Method-override" kwụsịrị). N'ime data eweghachiri mgbe ị na-enweta REST-API ajụjụ, enwere igodo nnweta na-enye gị ohere iziga arịrịọ na ndị na-ahụ maka REST-API ọ bụla.
Iji igodo enwetara, onye mwakpo ahụ nwere ike ime mgbanwe na mgbochi mmapụta ọ bụla gosipụtara site na iji OptinMonster, gụnyere ịhazi mmebe nke koodu Javascript ya. N'inweta ohere iji mebie koodu Javascript ya n'ọnọdụ nke saịtị ahụ, onye mwakpo ahụ nwere ike ibugharị ndị ọrụ na saịtị ya ma ọ bụ hazie nnọchi nke akaụntụ ọpụrụiche na interface webụ mgbe onye nchịkwa saịtị megburu koodu JavaScript nọchiri anya. N'inweta ihe ntanetị weebụ, onye na-awakpo ahụ nwere ike imezu koodu PHP ya na sava ahụ.
isi: opennet.ru