Abacwaningi bezokuphepha abavela ku-Wordfence kanye ne-WebARX bahlonze ukuba sengozini okuningana okuyingozi kuma-plugin amahlanu wesistimu yokuphatha okuqukethwe kwewebhu ye-WordPress, okuhlanganisa ukufakwa okungaphezu kwesigidi.
- ku-plugin , enokufakwa okungaphezu kwezinkulungwane ezingama-700. Udaba lulinganiselwe ku-Severity Level 9 ku-10 (CVSS). Ukuba sengozini kuvumela umsebenzisi ogunyaziwe onamalungelo obhalisile ukuthi asuse noma afihle (ukushintsha isimo sibe okusalungiswa okungashicilelwe) noma yiliphi ikhasi lesayithi, kanye nokushintsha okuqukethwe kwakhe emakhasini.
Ukuba sengozini ekukhishweni 1.8.3. - ku-plugin , okubala ukufakwa okungaphezu kwezinkulungwane ze-200 (ukuhlaselwa kwangempela kumasayithi aqoshiwe, ngemva kokuqala kwawo kanye nokubonakala kwedatha mayelana sengozini, inani lokufakwa selivele lehlile laya ku-100 ayizinkulungwane). Ukuba sengozini kuvumela isivakashi esingagunyaziwe ukuthi sisule okuqukethwe kusizindalwazi sesayithi futhi sisethe kabusha isizindalwazi sibe sesimeni esisha sokufakwa. Uma kunomsebenzisi ogama lakhe lingu-admin kusizindalwazi, lokho kuba sengozini nakho kukuvumela ukuthi uthole ukulawula okuphelele kusayithi. Ukuba sengozini kubangelwa ukwehluleka ukufakazela ubuqiniso komsebenzisi ozama ukukhipha imiyalo ethile esebenzisa iskripthi /wp-admin/admin-ajax.php. Inkinga ilungiswe kunguqulo 1.6.2.
- ku-plugin , esetshenziswa kumasayithi ayizinkulungwane ezingama-44. Udaba lunikezwe ileveli yobukhali engu-9.8 kwabangu-10. Ukuba sengozini kuvumela umsebenzisi ongagunyaziwe ukuthi asebenzise ikhodi yakhe ye-PHP kuseva futhi amiselele i-akhawunti yomqondisi wesayithi ngokuthumela isicelo esikhethekile nge-REST-API.
Amacala okuxhashazwa kokuba sengozini aseqoshwe kakade kunethiwekhi, kodwa isibuyekezo esinokulungiswa asikakatholakali. Abasebenzisi bayelulekwa ukuthi basuse le plugin ngokushesha ngangokunokwenzeka. - ku-plugin , okunenombolo yokufakwa kwezinkulungwane ezingama-60. Udaba lunikezwe izinga lokuqina lika-8.8 kwangu-10. Ukuba sengozini kuvumela noma yisiphi isivakashi esiqinisekisiwe, okuhlanganisa nalabo abanamalungelo okubhalisa, ukukhuphula amalungelo abo kumlawuli wesayithi noma ukuthola ukufinyelela kuphaneli yokulawula ye-wpCentral. Inkinga ilungiswe kunguqulo 1.5.1.
- ku-plugin , ngokufaka cishe izinkulungwane ezingama-65. Udaba lunikezwe izinga lokuqina lika-10 kwabayi-10. Ukuba sengozini kuvumela umsebenzisi ongagunyaziwe ukuthi akhe i-akhawunti enamalungelo omlawuli (i-plugin ikuvumela ukuthi udale amafomu okubhalisa futhi umsebenzisi angamane adlule inkambu eyengeziwe ngendima yomsebenzisi, abele yizinga lomlawuli). Inkinga ilungiswe kunguqulo 3.1.1.
Ngaphezu kwalokho, kungaphawulwa amanethiwekhi okusabalalisa ama-plugin we-Trojan nezindikimba ze-WordPress. Abahlaseli bafake amakhophi aphikisiwe wama-plugin akhokhelwayo kumasayithi ohla lwemibhalo angelona iqiniso, njengoba ngaphambilini behlanganise i-backdoor kuwo ukuze bathole ukufinyelela ukude nokulanda imiyalo kusuka kuseva yokulawula. Uma isicushiwe, ikhodi enonya yayisetshenziselwa ukufaka ukukhangisa okunonya noma okukhohlisayo (ngokwesibonelo, izexwayiso mayelana nesidingo sokufaka isivikeli-magciwane noma ukuvuselela isiphequluli sakho), kanye nokuthuthukisa injini yokusesha ukuze kuthuthukiswe amasayithi asabalalisa ama-plugin anonya. Ngokusho kwedatha yokuqala, amasayithi angaphezu kwezinkulungwane ezingama-20 wonakaliswa kusetshenziswa lawa ma-plugin. Phakathi kwezisulu kwakukhona inkundla yezimayini emisiwe, ifemu yokuhweba, ibhange, izinkampani ezinkulu eziningana, umthuthukisi wezixazululo zokukhokha usebenzisa amakhadi esikweletu, izinkampani ze-IT, njll.
Source: opennet.ru