Plugin Wordpress yang rentan terhadap peretasan
Beberapa contoh kerentanan pada website:
1.
Remote Code Execution(RCE)
Apa itu RCE ? RCE adalah salah satu bug
yang memungkinkan seorang peretats untuk memasukkan command / perintah pada
sebuah situs
2.
SQL Injection
Teknik injeksi kode, yang digunakan untuk
menyerang aplikasi berbasis data, di mana pernyataan SQL berbahaya dimasukkan
ke dalam bidang entri untuk dieksekusi.
3.
Local File Inclusion (LFI)
sebuah lubang pada site
di mana attacker bisa mengakses semua file
di dalam server dengan hanya melalui URL.
4.
Remot File Inclusion
(RFI)
RFI (Remote File Inclusion) adalah sebuah
lubang dimana site mengizinkan attacker meng-include-kan file dari luar server.
5.
Arbitary File Upload
Adalah sebuah bug / kerentanan dimana
seorang penyerang dapat mengupload file tanpa memerlukan hak akses sebagai
admin, atau lebih singkatnya adalah mengupload file secara ilegal
6.
XSS (cross site scripting)
XSS merupakan kependekan yang digunakan
untuk istilah cross site scripting. XSS merupakan salah satu jenis serangan
injeksi code (code injection attack).
Beberapa Plugin WordPress yang rentan / Vuln
|
Plugin
Name
|
Vulnerability
Type
|
Min / Max Versions Affected
|
|
1 Flash
Gallery
|
arbitrary
file upload
|
1.3.0 /
1.5.6
|
|
Tevolution
|
arbitrary
file upload
|
2.0 /
2.2.9
|
|
Addblockblocker
|
arbitrary
file upload
|
0.0.1
|
|
Ads Widget
|
remote
code execution (RCE)
|
2.0 / n/a
|
|
Advanced
Video
Embed Embed
Videos Or
Playlists
|
arbitrary
file viewing
|
n/a / 1.0
|
|
Analytic
|
remote
code execution (RCE)
|
1.8
|
|
Blaze
Slide Show For Wordpress
|
arbitrary
file upload
|
2.0 / 2.7
|
|
Breadcrumbs
Ez
|
remote
code execution (RCE)
|
n/a
|
|
Candidate
Application Form
|
arbitrary
file viewing
|
1.0
|
|
Cherry
Plugin
|
arbitrary
file upload
|
1.0 /
1.2.6
|
|
Chikuncount
|
arbitrary
file upload
|
1.3
|
|
Cip4
Folder Download Widget
|
arbitrary
file viewing
|
1.4 / 1.10
|
|
Developer
Tools
|
arbitrary
file upload
|
1.0.0 /
1.1.4
|
|
Disclosure
Policy Plugin
|
remote
file inclusion (RFI)
|
1.0
|
|
Dop Slider
|
arbitrary
file upload
|
1.0
|
|
Download
Zip Attachments
|
arbitrary
file viewing
|
1
|
|
Front File
Manager
|
arbitrary
file upload
|
0.1
|
|
Google
Maps By Daniel Martyn
|
remote
code execution (RCE)
|
1.0
|
|
Google Mp3
Audio Player
|
arbitrary
file viewing
|
1.0.9 /
1.0.11
|
|
Grapefile
|
arbitrary
file upload
|
1.0 / 1.1
|
|
Gravityforms
|
reflected
cross-site scripting (XSS)
|
1.7 /
1.9.15.11
|
|
Hb Audio
Gallery Lite
|
arbitrary
file viewing
|
1.0.0
|
|
Hd
Webplayer
|
SQL
injection
|
1.0 / 1.1
|
|
History
Collection
|
arbitrary
file viewing
|
1.1. /
1.1.1
|
|
Html5avmanager
|
arbitrary
file upload
|
0.1.0 /
0.2.7
|
|
I Dump
Iphone To Wordpress Photo Uploader
|
arbitrary
file upload
|
1.1.3 /
1.8
|
|
Image
Export
|
arbitrary
file viewing
|
1.0.0 /
1.1.0
|
|
Image
Symlinks
|
arbitrary
file upload
|
0.5 /
0.8.2
|
|
Jssor
Slider
|
arbitrary
file upload
|
1.0 / 1.3
|
|
Magic
Fields
|
arbitrary
file upload
|
1.5 /
1.5.5
|
|
Mailchimp
Integration
|
remote
code execution (RCE)
|
1.0.1 /
1.1
|
|
Miwoftp
|
arbitrary
file viewing
|
1.0.0 /
1.0.4
|
|
Mm Forms
Community
|
arbitrary
file upload
|
1.0 /
2.2.6
|
|
Mobile App
Builder By Wappress
|
arbitrary
file upload
|
n/a / 1.05
|
|
Mobile
Friendly App Builder By Easytouch
|
arbitrary
file upload
|
3.0
|
|
Resume
Submissions Job Postings
|
arbitrary
file upload
|
2.0 /
2.5.3
|
|
Return To
Top
|
remote
code execution (RCE)
|
1.8 / 5.0
|
|
Revslider
|
arbitrary
file viewing
|
1.0 /
4.1.4
|
|
Seo
Keyword Page
|
remote
code execution (RCE)
|
2.0.5
|
|
Seo Spy
Google Wordpress Plugin
|
arbitrary
file upload
|
2.0 / 2.6
|
|
Seo
Watcher
|
arbitrary
file upload
|
1.3.2 /
1.3.3
|
|
Sfwd Lms
|
arbitrary
file upload
|
1.3.6 /
2.5.3
|
|
Share
Buttons Wp
|
remote
code execution (RCE)
|
1.0
|
|
Sharexy
|
restricted
file upload
|
4.0 /
4.2.2
|
|
Site
Editor
|
local file
inclusion (LFI)
|
1.0.0 /
1.1.1
|
|
Site
Import
|
remote
page inclusion
|
1.0.0 /
1.2.0
|
|
Slide Show
Pro
|
arbitrary
file upload
|
2.0 / 2.4
|
|
Smart
Slide Show
|
arbitrary
file upload
|
2.0 / 2.4
|
|
Smart
Videos
|
remote
code execution (RCE)
|
1.0
|
|
Social
Networking E Commerce 1
|
arbitrary
file upload
|
0.0.32
|
|
Social
Sharing
|
possible
arbitrary file upload
|
1.0
|
|
Social
Sticky Animated
|
remote
code execution (RCE)
|
1.0
|
|
Spamtask
|
arbitrary
file upload
|
1.3 /
1.3.6
|
|
Tera
Charts
|
reflected
cross-site scripting (XSS)
|
0.1 / 1.0
|
|
The
Viddler Wordpress Plugin
|
cross-site
request forgery (CSRF)/cross-site scripting (XSS)
|
1.2.3 /
2.0.0
|
|
Ultimate
Member
|
arbitrary
file upload
|
2.0.4 /
2.0.21
|
|
Ultimate
Product Catalogue
|
arbitrary
file upload
|
1.0 /
3.1.1
|
|
Wp Custom
Page
|
arbitrary
file viewing
|
0.5 /
0.5.0.1
|
|
Wp
Dreamworkgallery
|
arbitrary
file upload
|
2.0 / 2.3
|
|
Wp
Easybooking
|
reflected
cross-site scripting (XSS)
|
1.0.0 /
1.0.3
|
|
Wp Handy
Lightbox
|
remote
code execution (RCE)
|
1.4.5
|
|
Wp
Homepage Slideshow
|
arbitrary
file upload
|
2.0 / 2.3
|
|
Wp Image
News Slider
|
arbitrary
file upload
|
3.0 / 3.5
|
|
Wp Js
External Link Info
|
open
redirect (after interstitial)
|
1.0 / 1.21
|
|
Wp
Levoslideshow
|
arbitrary
file upload
|
2.0 / 2.3
|
|
Wp
Symposium
|
arbitrary
file upload
|
13.04 /
14.11
|
|
Wp
Vertical Gallery
|
arbitrary
file upload
|
2.0 / 2.3
|
|
Wp
Yasslideshow
|
arbitrary
file upload
|
3.0 / 3.4
|
|
Wpeasystats
|
local file
inclusion (LFI)
|
1.8
|
|
Xdata
Toolkit
|
arbitrary
file upload
|
1.6 / 1.9
|
|
Zen Mobile
App Native
|
arbitrary
file upload
|
3.0
|