This week there were two plugins that had security vulnerabilities and both were reported to be medium.
A patch was released for the premium extension however no updates on the Local extension from Yoast.
Sources:
1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortpixel-adaptive-images/shortpixel-adaptive-images-371-cross-site-request-forgery-via-shortpixel-ai-handle-page-action
2. https://patchstack.com/database/vulnerability/wordpress-seo-premium/wordpress-yoast-seo-premium-plugin-20-4-unauthenticated-zapier-api-key-reset-vulnerability
3. https://patchstack.com/database/vulnerability/wpseo-local/wordpress-yoast-seo-local-plugin-14-8-cross-site-request-forgery-csrf-vulnerability
Last edited by Admin on Thu May 11, 2023 8:38 am; edited 2 times in total (Reason for editing : added ref links)
Shortpixel Adaptive Images Plugin
The ShortPixel Adaptive Images plugin for WordPress has a security flaw in versions up to 3.7.1. This vulnerability is related to a missing security check on the 'shortpixel_ai_handle_page_action' ajax action. As a result, attackers who are not authorized can modify plugin settings by creating a fake request. They can do this by deceiving a site administrator into taking an action, such as clicking a link.Yoast SEO Plugin
The Yoast SEO plugin extensions, the Premium Extension v20.4 or lower had broken access control and the extension Local Plugin with cross-site request forgery.A patch was released for the premium extension however no updates on the Local extension from Yoast.
Sources:
1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortpixel-adaptive-images/shortpixel-adaptive-images-371-cross-site-request-forgery-via-shortpixel-ai-handle-page-action
2. https://patchstack.com/database/vulnerability/wordpress-seo-premium/wordpress-yoast-seo-premium-plugin-20-4-unauthenticated-zapier-api-key-reset-vulnerability
3. https://patchstack.com/database/vulnerability/wpseo-local/wordpress-yoast-seo-local-plugin-14-8-cross-site-request-forgery-csrf-vulnerability
Last edited by Admin on Thu May 11, 2023 8:38 am; edited 2 times in total (Reason for editing : added ref links)