{"id":5792,"date":"2023-12-10T16:03:40","date_gmt":"2023-12-10T15:03:40","guid":{"rendered":"https:\/\/sajberinfo.com\/?p=5792"},"modified":"2023-12-10T16:03:40","modified_gmt":"2023-12-10T15:03:40","slug":"upozorenje-na-wordpress-ranjivost","status":"publish","type":"post","link":"https:\/\/sajberinfo.com\/en\/2023\/12\/10\/upozorenje-na-wordpress-ranjivost\/","title":{"rendered":"Upozorenje na WordPress ranjivost"},"content":{"rendered":"<p><span style=\"font-size: 14pt;\">Upozorenje na <em>WordPress<\/em> ranjivost se odnosi na verzije <em>6.4<\/em> i <em>6.4.1<\/em>, dok se verzija <em>6.4.2<\/em>, adresira ranjivost uvedenu u verziji <em>6.4<\/em> \u2013 konkretno, problem <em>POP<\/em> lanca unutar jezgra. Ova ranjivost zavisi od postojanja dodatne ranjivosti <em>PHP Object Injection<\/em>.<\/span><\/p>\n<div id=\"attachment_5796\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-5796\" class=\"size-full wp-image-5796\" src=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/12\/Update-WordPress.jpg\" alt=\"WordPress ranjivost\" width=\"1024\" height=\"1024\" srcset=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/12\/Update-WordPress.jpg 1024w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/12\/Update-WordPress-300x300.jpg 300w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/12\/Update-WordPress-150x150.jpg 150w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/12\/Update-WordPress-768x768.jpg 768w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/12\/Update-WordPress-12x12.jpg 12w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/12\/Update-WordPress-80x80.jpg 80w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/12\/Update-WordPress-320x320.jpg 320w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><p id=\"caption-attachment-5796\" class=\"wp-caption-text\"><em>Upozorenje na WordPress ranjivost; Source: Bing Image Creator<\/em><\/p><\/div>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Sadr\u017eaj<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ffffff;color:#ffffff\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ffffff;color:#ffffff\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewbox=\"0 0 24 24\" version=\"1.2\" baseprofile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/sajberinfo.com\/en\/2023\/12\/10\/upozorenje-na-wordpress-ranjivost\/#WORDPRESS_RANJIVOST\" >WORDPRESS RANJIVOST<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/sajberinfo.com\/en\/2023\/12\/10\/upozorenje-na-wordpress-ranjivost\/#DETALJI_RANJIVOSTI\" >DETALJI RANJIVOSTI<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/sajberinfo.com\/en\/2023\/12\/10\/upozorenje-na-wordpress-ranjivost\/#ZAKLJUCAK\" >ZAKLJU\u010cAK<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/sajberinfo.com\/en\/2023\/12\/10\/upozorenje-na-wordpress-ranjivost\/#ZASTITA\" >ZA\u0160TITA<\/a><\/li><\/ul><\/nav><\/div>\n\n<h2><span class=\"ez-toc-section\" id=\"WORDPRESS_RANJIVOST\"><\/span><span style=\"font-size: 14pt;\"><strong><em>WORDPRESS<\/em><\/strong> <strong>RANJIVOST<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\">Jednostavno re\u010deno, zajedno sa bilo kojom drugom ranjivo\u0161\u0107u ubrizgavanja objekata koja mo\u017ee postojati u dodatku, predstavljala kriti\u010dnu prijetnju, potencijalno omogu\u0107avaju\u0107i proizvoljno izvr\u0161avanje <em>PHP<\/em> k\u00f4da na internet lokacijama. <a href=\"https:\/\/www.wordfence.com\/blog\/2023\/12\/psa-critical-pop-chain-allowing-remote-code-execution-patched-in-wordpress-6-4-2\/\" target=\"_blank\" rel=\"noopener\"><em>Wordfence<\/em> nagla\u0161ava<\/a> da je ovaj rizik sa potencijalom za potpuno preuzimanje internet lokacije.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Istovremeno uz ovu ranjivost pojavila se nova opasnost, gdje <a href=\"https:\/\/sajberinfo.com\/en\/2022\/03\/19\/hakeri-crni-sesiri-epizoda-3\/\" target=\"_blank\" rel=\"nofollow noopener\">zlonamjerni akteri<\/a> iskori\u0161tavaju <a href=\"https:\/\/sajberinfo.com\/en\/2023\/12\/04\/wordpress-phishing-prevara-iskoristava-laznu-ranjivost\/\" target=\"_blank\" rel=\"nofollow noopener\">zlonamjerno la\u017eno a\u017euriranje za <em>WordPress<\/em><\/a>\u00a0 za distribuciju <a href=\"https:\/\/sajberinfo.com\/en\/2023\/04\/11\/backdoor\/\" target=\"_blank\" rel=\"nofollow noopener\"><em>backdoor<\/em> <\/a>zlonamjernog softvera. Korisnici koji ni\u0161ta ne sumnjaju mogu nesvjesno da instaliraju samu prijetnju od koje \u017eele da se za\u0161tite, pod pretpostavkom da je to legitimno bezbjednosno rje\u0161enje.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"DETALJI_RANJIVOSTI\"><\/span><span style=\"font-size: 14pt;\"><strong>DETALJI RANJIVOSTI<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\">Su\u0161tina problema je u <em>WP_HTML_Token<\/em> klasi koja se pojavila u <em>WordPress 6.4<\/em> verziji kako bi unaprijedila ra\u0161\u010dlanjavanje <em>HTML<\/em> u ure\u0111iva\u010du blokova. Njeno iskori\u0161tavanje kroz ubrizgavanje objekta pru\u017ea napada\u010dima kontrolu i nad funkcijom i nad argumentom, omogu\u0107avaju\u0107i proizvoljno izvr\u0161avanje k\u00f4da na kompromitovanoj <em>WordPress<\/em> lokaciji.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Posljedice obuhvataju neovla\u0161teni pristup, \u0161to dovodi do kra\u0111e podataka, o\u0161te\u0107enja internet lokacije i potencijalne distribucije <a href=\"https:\/\/sajberinfo.com\/en\/2021\/09\/26\/malware\/\" target=\"_blank\" rel=\"nofollow noopener\">zlonamjernog softvera<\/a> korisnicima \u2013 \u0161to u su\u0161tini dovodi do potpunog preuzimanja internet lokacije.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Prepoznaju\u0107i ozbiljnost ove ranjivosti <em>WordPress<\/em> je ovo ozna\u010dio kao ranjivost daljinskog izvr\u0161avanja k\u00f4da, iako se ova ranjivost ne mo\u017ee direktno iskoristiti u <em>WordPress<\/em> jezgru, njena ozbiljnost zna\u010dajno eskalira kada se kombinuje sa odre\u0111enim dodacima, posebno u instalacijama na vi\u0161e lokacija. <em>WordPress<\/em> jezgro nema poznate ranjivosti ubrizgavanja objekata, one su prisutne u dodacima i temama, pove\u0107avaju\u0107i povezane rizike.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"ZAKLJUCAK\"><\/span><strong><span style=\"font-size: 14pt;\">ZAKLJU\u010cAK<\/span><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\"><em>WordPress<\/em> je jedan od najpopularnijih kreatora internet stranica koji pokrec\u0301e 800 miliona internet lokacija. Njegova popularnost tako\u0111e zna\u010di da je stalno pod lupom zlonamjernih aktera, me\u0111utim ranjivosti se rijetko nalaze u samoj <em>WordPress <\/em>platformi. Umjesto toga, zlonamjernim akterima je lak\u0161e da prona\u0111u ranjivosti u dodacima i temama, posebno onima koje su besplatne.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Ovi dodaci i teme \u010desto nastaju radom entuzijasta ili ljudi koji kasnije napuste ili zaborave na projekat, \u0161to uzrokuje da ranjivosti budu du\u017ee prisutne i da se sporije isprave. Zlonamjerni akteri mogu da iskoriste nedostatke za kra\u0111u podataka, preusmjeravanje posjetioce na druge zlonamjerne stranice, prikazuju ne\u017eeljene oglase i jo\u0161 mnogo toga.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"ZASTITA\"><\/span><strong><span style=\"font-size: 14pt;\">ZA\u0160TITA<\/span><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\">Kao odgovor na ovo ranjivost korisnici <em>WordPress <\/em>platforme bi trebalo da daju prioritet slijede\u0107im radnjama kako bi za\u0161titili svoju internet lokaciju:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 14pt;\">A\u017eurirati\u00a0 <em>WordPress<\/em> na verziju <em>6.4.2<\/em>, bez obzira na trenutnu verziju (<em>6.4<\/em> ili <em>6.4.1<\/em>), a\u017euriranje primijeniti odmah kako sigurnosni ispravak mogao da rije\u0161i identifikovanu ranjivost.<\/span><\/li>\n<li><span style=\"font-size: 14pt;\">Redovno a\u017eurirati dodatke i mete na njihove najnovije verzije, kako bi bili za\u0161ti\u0107eni od svih potencijalnih ranjivosti, uklju\u010duju\u0107i ranjivosti ubrizgavanja objekata.<\/span><\/li>\n<li><span style=\"font-size: 14pt;\">Sprovoditi redovno rutinska skeniranja ranjivosti kako bi se odmah mogli otkriti problemi i na vrijeme rije\u0161ile ranjivosti.<\/span><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Upozorenje na WordPress ranjivost se odnosi na verzije 6.4 i 6.4.1, dok se verzija 6.4.2, adresira ranjivost uvedenu u verziji 6.4 \u2013 konkretno, problem POP lanca unutar jezgra. Ova ranjivost zavisi od postojanja dodatne&#46;&#46;&#46;<\/p>","protected":false},"author":1,"featured_media":5796,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[288,615,126,259],"class_list":["post-5792","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hronike","tag-php","tag-php-object-injection","tag-vulnerability","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts\/5792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/comments?post=5792"}],"version-history":[{"count":0,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts\/5792\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/media\/5796"}],"wp:attachment":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/media?parent=5792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/categories?post=5792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/tags?post=5792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}