WordPress YIT Plugin Framework 安全漏洞

CVE编号

CVE-2019-16251

利用情况

暂无

补丁情况

N/A

披露时间

2019-11-01

漏洞描述

WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。YIT Plugin Framework是使用在其中的一个YIT插件框架。 WordPress YIT Plugin Framework 3.3.8及之前版本中的plugin-fw/lib/yit-plugin-panel-wc.php文件存在安全漏洞。攻击者可利用该漏洞修改插件的选项。

解决建议

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法：
https://yithemes.com

参考链接
https://blog.nintechnet.com/authenticated-settings-change-vulnerability-in-yi...
https://wpvulndb.com/vulnerabilities/9932

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	yithemes	yith_advanced_refund_system_for_woocommerce	*		Up to (including) 1.0.10
	运行在以下环境
	应用	yithemes	yith_color_and_label_variations_for_woocommerce	*		Up to (including) 1.8.11
	运行在以下环境
	应用	yithemes	yith_custom_thank_you_page_for_woocommerce	*		Up to (including) 1.1.6
	运行在以下环境
	应用	yithemes	yith_desktop_notifications_for_woocommerce	*		Up to (including) 1.2.7
	运行在以下环境
	应用	yithemes	yith_paypal_express_checkout_for_woocommerce	*		Up to (including) 1.2.5
	运行在以下环境
	应用	yithemes	yith_pre-order_for_woocommerce	*		Up to (including) 1.1.9
	运行在以下环境
	应用	yithemes	yith_product_size_charts_for_woocommerce	*		Up to (including) 1.1.1
	运行在以下环境
	应用	yithemes	yith_woocommerce_added_to_cart_popup	*		Up to (including) 1.3.11
	运行在以下环境
	应用	yithemes	yith_woocommerce_advanced_reviews	*		Up to (including) 1.3.9
	运行在以下环境
	应用	yithemes	yith_woocommerce_affiliates	*		Up to (including) 1.6.3
	运行在以下环境
	应用	yithemes	yith_woocommerce_ajax_search	*		Up to (including) 1.6.9
	运行在以下环境
	应用	yithemes	yith_woocommerce_authorize.net_payment_gateway	*		Up to (including) 1.1.12
	运行在以下环境
	应用	yithemes	yith_woocommerce_badge_management	*		Up to (including) 1.3.19
	运行在以下环境
	应用	yithemes	yith_woocommerce_best_sellers	*		Up to (including) 1.1.11
	运行在以下环境
	应用	yithemes	yith_woocommerce_brands_add-on	*		Up to (including) 1.3.6
	运行在以下环境
	应用	yithemes	yith_woocommerce_bulk_product_editing	*		Up to (including) 1.2.13
	运行在以下环境
	应用	yithemes	yith_woocommerce_cart_messages	*		Up to (including) 1.4.3
	运行在以下环境
	应用	yithemes	yith_woocommerce_compare	*		Up to (including) 2.3.13
	运行在以下环境
	应用	yithemes	yith_woocommerce_frequently_bought_together	*		Up to (including) 1.2.10
	运行在以下环境
	应用	yithemes	yith_woocommerce_gift_cards	*		Up to (including) 1.3.7
	运行在以下环境
	应用	yithemes	yith_woocommerce_mailchimp	*		Up to (including) 2.1.3
	运行在以下环境
	应用	yithemes	yith_woocommerce_multi-step_checkout	*		Up to (including) 1.7.4
	运行在以下环境
	应用	yithemes	yith_woocommerce_multi_vendor	*		Up to (including) 3.4.0
	运行在以下环境
	应用	yithemes	yith_woocommerce_order_tracking	*		Up to (including) 1.2.10
	运行在以下环境
	应用	yithemes	yith_woocommerce_pdf_invoice_and_shipping_list	*		Up to (including) 1.2.12
	运行在以下环境
	应用	yithemes	yith_woocommerce_points_and_rewards	*		Up to (including) 1.3.4
	运行在以下环境
	应用	yithemes	yith_woocommerce_product_add-ons	*		Up to (including) 1.5.21
	运行在以下环境
	应用	yithemes	yith_woocommerce_product_bundles	*		Up to (including) 1.1.15
	运行在以下环境
	应用	yithemes	yith_woocommerce_questions_and_answers	*		Up to (including) 1.1.9
	运行在以下环境
	应用	yithemes	yith_woocommerce_quick_view	*		Up to (including) 1.3.13
	运行在以下环境
	应用	yithemes	yith_woocommerce_recover_abandoned_cart	*		Up to (including) 1.3.2
	运行在以下环境
应用	yithemes	yith_woocommerce_request_a_quote	*		Up to (including) 1.4.7
运行在以下环境
应用	yithemes	yith_woocommerce_social_login	*		Up to (including) 1.3.4
运行在以下环境
应用	yithemes	yith_woocommerce_stripe	*		Up to (including) 2.0.1
运行在以下环境
应用	yithemes	yith_woocommerce_subscription	*		Up to (including) 1.3.4
运行在以下环境
应用	yithemes	yith_woocommerce_waiting_list	*		Up to (including) 1.3.9
运行在以下环境
应用	yithemes	yith_woocommerce_wishlist	*		Up to (including) 2.2.13
运行在以下环境
应用	yithemes	yith_woocommerce_zoom_magnifier	*		Up to (including) 1.3.11

CVSS3评分 4.3

• 攻击路径 网络
• 攻击复杂度 低
• 权限要求 低
• 影响范围 未更改
• 用户交互 无
• 可用性 无
• 保密性 无
• 完整性 低

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CWE-ID 漏洞类型 NVD-CWE-noinfo