Chiwopsezo chachikulu (CVE sichinapatsidwebe) chadziwika mu Ninja Forms WordPress add-on, yomwe ili ndi makhazikitsidwe opitilira miliyoni miliyoni, kulola mlendo wosaloledwa kuti azitha kuyang'anira malowa. Nkhaniyi idathetsedwa muzotulutsa 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, ndi 3.6.11. Zimadziwika kuti chiwopsezocho chikugwiritsidwa ntchito kale kuukira ndikuletsa vutoli mwachangu, opanga nsanja ya WordPress adayambitsa kukakamiza kuyika zosintha pamasamba ogwiritsa ntchito.
Chiwopsezochi chimayamba chifukwa cha cholakwika pakukhazikitsa magwiridwe antchito a Merge Tags, omwe amalola ogwiritsa ntchito osavomerezeka kuyimba njira zina zokhazikika kuchokera kumagulu osiyanasiyana a Ninja Forms (the is_callable() ntchito idayitanidwa kuti awone ngati njira zidatchulidwa mu data yomwe idadutsa mu Merge. Malemba). Mwa zina, zinali zotheka kuyitanitsa njira yomwe imachotsa zinthu zomwe zimatumizidwa ndi wogwiritsa ntchito. Potumiza deta yopangidwa mwapadera, wowukirayo amatha kulowetsa zinthu zake ndikukwaniritsa ma code a PHP pa seva kapena kuchotsa mafayilo osasinthika mu bukhuli ndi data yatsamba.
Source: opennet.ru