Загрузка...

CVE-2026-14345: WPFunnels expõe WordPress a RCE via logs

Cyber Report PT-BR com os principais CVEs do dia: vulnerabilidade crítica no WordPress WPFunnels, falha de autorização no GKS e risco em picklescan para pipelines Python/IA.

Títulos considerados:
- CVE-2026-14345: WPFunnels expõe WordPress a RCE via logs
- Cyber Report: WPFunnels RCE, GKS sem autorização e picklescan
- Top CVEs: WordPress WPFunnels crítico e risco em picklescan

CVEs, CVSS, afetados, vetor, CWE/fraqueza e correção:
- CVE-2026-14345 — CVSS 9.8 CRITICAL — afetado: The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3. — vetor: NETWORK, complexidade: LOW, privilégios: NONE, interação: NONE, CWE: CWE-434, patch/advisory: desconhecido, NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-14345
- CVE-2026-8377 — CVSS 8.2 HIGH — afetado: Missing Authorization vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Collect Data from Common Resource Locations.

This issue affects — vetor: NETWORK, complexidade: LOW, privilégios: NONE, interação: NONE, CWE: CWE-862, patch/advisory: desconhecido, NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8377
- CVE-2025-71364 — CVSS 8.1 HIGH — afetado: picklescan before 0.0.30 fails to detect the asyncio.unix_events._UnixSubprocessTransport._start function in pickle reduce methods, allowing remote code execution. Attackers can cr — vetor: NETWORK, complexidade: LOW, privilégios: NONE, interação: REQUIRED, CWE: CWE-502, patch/advisory: desconhecido, NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-71364

Correção e mitigação: aplicar patches/advisories oficiais; para WPFunnels, verificar versão até 3.12.7, reduzir logs desnecessários, restringir administração e revisar logs; para GKS, atualizar para versão 2 conforme advisory; para picklescan, atualizar para 0.0.30 ou superior e isolar artefatos pickle/modelos não confiáveis.

Fontes oficiais e referências:
- https://nvd.nist.gov/vuln/detail/CVE-2026-14345
- https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.5/admin/modules/settings/class-wpfnl-settings.php#L709
- https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.5/includes/core/classes/class-wpfnl-ajax-handler.php#L39
- https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.5/includes/core/classes/class-wpfnl-ajax-handler.php#L523
- https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.5/public/class-wpfnl-public.php#L1185
- https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.7/admin/modules/settings/class-wpfnl-settings.php#L709
- https://nvd.nist.gov/vuln/detail/CVE-2026-8377
- https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0502
- https://nvd.nist.gov/vuln/detail/CVE-2025-71364
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-q77w-mwjj-7mqx
- https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-undetected-asyncio-unix-events-unixsubprocesstransport-start

Conteúdo defensivo: sem PoC, sem payloads e sem instruções ofensivas. Termos: vulnerabilidade, patch, segurança, CVSS, CVE, WordPress, WPFunnels, WooCommerce, Access Control System GKS, picklescan, Python, IA, segurança de modelos.

#CyberSecurity #CVE #WordPress #SegurancaDaInformacao #DevSecOps

Видео CVE-2026-14345: WPFunnels expõe WordPress a RCE via logs канала dailytechhackglobal
Яндекс.Метрика
Все заметки Новая заметка Страницу в заметки
Страницу в закладки Мои закладки
На информационно-развлекательном портале SALDA.WS применяются cookie-файлы. Нажимая кнопку Принять, вы подтверждаете свое согласие на их использование.
О CookiesНапомнить позжеПринять