{"id":176308,"date":"2016-04-05T02:44:23","date_gmt":"2016-04-05T00:44:23","guid":{"rendered":"http:\/\/www.borncity.com\/blog\/?p=176308"},"modified":"2016-04-05T02:44:23","modified_gmt":"2016-04-05T00:44:23","slug":"wordpress-user-role-editor-plugin-angreifbar","status":"publish","type":"post","link":"https:\/\/borncity.com\/blog\/2016\/04\/05\/wordpress-user-role-editor-plugin-angreifbar\/","title":{"rendered":"WordPress: User Role Editor-Plugin angreifbar"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"\" src=\"https:\/\/borncity.com\/blog\/wp-content\/uploads\/2014\/07\/wp_thumb.jpg\" width=\"64\" align=\"left\" height=\"64\"\/>WordPress-Nutzer, die das Plugin User Role Editor einsetzen, sollten schnellstm\u00f6glich reagieren und dieses updaten. Eine Schwachstelle erm\u00f6glicht Angreifern Administratorrechte zu erlangen.<\/p>\n<p><!--more--><\/p>\n<p><a href=\"https:\/\/wordpress.org\/plugins\/user-role-editor\/\" target=\"_blank\">Das Plugin<\/a> wird mehr als 300.000 Mal eingesetzt. Problem ist, dass der Benutzer seine Rolle selbst editieren konnte (was nur Administratoren vorbehalten sein darf). Auf das Problem weisen die Leute von WordFence in <a href=\"https:\/\/www.wordfence.com\/blog\/2016\/04\/user-role-editor-vulnerability\/\" target=\"_blank\">diesem Blog-Post<\/a> hin. In der neuen Version wurde der in folgendem Screenshot gr\u00fcn hervorgehobene Code zur Pr\u00fcfung, ob ein Konto Admini-Rechte hat, hinzugef\u00fcgt. <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-04-at-9.58.02-AM.png\"\/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>WordPress-Nutzer, die das Plugin User Role Editor einsetzen, sollten schnellstm\u00f6glich reagieren und dieses updaten. Eine Schwachstelle erm\u00f6glicht Angreifern Administratorrechte zu erlangen.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[426],"tags":[4328,4349],"class_list":["post-176308","post","type-post","status-publish","format-standard","hentry","category-sicherheit","tag-sicherheit","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts\/176308","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/comments?post=176308"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts\/176308\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/media?parent=176308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/categories?post=176308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/tags?post=176308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}