Chiwopsezo (CVE-2021-39341) chadziwika mu OptinMonster WordPress add-on, yomwe ili ndi makhazikitsidwe opitilira miliyoni miliyoni ndipo imagwiritsidwa ntchito kuwonetsa zidziwitso ndi zotsatsa, zomwe zimakupatsani mwayi woyika JavaScript yanu patsamba. pogwiritsa ntchito chowonjezera chokhazikika. Chiwopsezocho chinakhazikitsidwa pakumasulidwa 2.6.5. Kuti aletse mwayi wolowera kudzera m'makiyi ojambulidwa mutakhazikitsa zosintha, opanga OptinMonster adaletsa makiyi onse omwe adapangidwa kale a API ndikuwonjezera zoletsa pakugwiritsa ntchito makiyi atsamba la WordPress kuti asinthe makampeni a OptinMonster.
Vutoli lidayamba chifukwa cha kupezeka kwa REST-API /wp-json/omapp/v1/support, yomwe imatha kupezeka popanda kutsimikizika - pempholi lidachitidwa popanda macheke owonjezera ngati mutu wa Referer uli ndi chingwe "https://wp .app.optinmonster.testβ komanso pokhazikitsa mtundu wa pempho la HTTP kukhala "OPTIONS" (zochotsedwa ndi mutu wa HTTP "X-HTTP-Method-Override"). Pakati pa data yomwe idabwezedwa mukalowa mu REST-API yomwe ikufunsidwa, panali kiyi yofikira yomwe imakulolani kutumiza zopempha kwa othandizira onse a REST-API.
Pogwiritsa ntchito kiyi yomwe yapezedwa, wowukirayo amatha kusintha midadada iliyonse yomwe ikuwonetsedwa pogwiritsa ntchito OptinMonster, kuphatikiza kukonza ma code ake a JavaScript. Atapeza mwayi wogwiritsa ntchito khodi yake ya JavaScript mogwirizana ndi tsambalo, wowukirayo atha kuloza ogwiritsa ntchito patsamba lake kapena kukonza zolowa m'malo mwa akaunti yamwayi pa intaneti pomwe woyang'anira webusayitiyo adalemba nambala ya JavaScript yolowa m'malo. Pokhala ndi mwayi wogwiritsa ntchito intaneti, wowukirayo atha kukwaniritsa nambala yake ya PHP pa seva.
Source: opennet.ru