{"id":4523,"date":"2024-08-19T14:35:25","date_gmt":"2024-08-19T14:35:25","guid":{"rendered":"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/"},"modified":"2024-08-19T14:35:25","modified_gmt":"2024-08-19T14:35:25","slug":"bp-profile-search-5-7-5-csrf-a-xss-reflejado","status":"publish","type":"post","link":"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/","title":{"rendered":"BP Profile Search &lt;= 5.7.5 &#8211; CSRF a XSS Reflejado"},"content":{"rendered":"<div>El plugin BP Profile Search para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta, e incluyendo, la 5.7.5. Esto se debe a la falta o incorrecta validaci\u00f3n de nonce en las funciones bps_ajax_field_selector(), bps_ajax_template_options() y bps_ajax_field_row(). Esto permite a atacantes no autenticados inyectar scripts web maliciosos a trav\u00e9s de una solicitud falsificada siempre y cuando puedan enga\u00f1ar a un administrador del sitio para realizar una acci\u00f3n como hacer clic en un enlace.<\/div>\n<p><\/p>\n<div>Para subsanar esta vulnerabilidad en el plugin BP Profile Search, se recomienda a los usuarios actualizar a la \u00faltima versi\u00f3n disponible, en este caso, a la versi\u00f3n 5.7.6 o posterior. Adicionalmente, se sugiere implementar medidas de seguridad adicionales como el uso de plugins de seguridad que detecten y prevengan este tipo de ataques CSRF.<\/div>\n<div>Es fundamental mantener actualizados todos los plugins y temas en WordPress para evitar posibles vulnerabilidades de seguridad que puedan ser aprovechadas por atacantes. La seguridad debe ser una prioridad en la gesti\u00f3n de un sitio web para proteger la informaci\u00f3n sensible y la integridad de los usuarios.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>El plugin BP Profile Search para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta, e incluyendo, la 5.7.5. Esto se debe a la falta o incorrecta validaci\u00f3n de nonce en las funciones bps_ajax_field_selector(), bps_ajax_template_options() y bps_ajax_field_row(). Esto permite a atacantes no autenticados inyectar scripts web maliciosos a trav\u00e9s de una solicitud [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[2220],"class_list":["post-4523","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cve-2024-7850"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>BP Profile Search &lt;= 5.7.5 - CSRF a XSS Reflejado - SeguridadWordPress.es<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BP Profile Search &lt;= 5.7.5 - CSRF a XSS Reflejado - SeguridadWordPress.es\" \/>\n<meta property=\"og:description\" content=\"El plugin BP Profile Search para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta, e incluyendo, la 5.7.5. Esto se debe a la falta o incorrecta validaci\u00f3n de nonce en las funciones bps_ajax_field_selector(), bps_ajax_template_options() y bps_ajax_field_row(). Esto permite a atacantes no autenticados inyectar scripts web maliciosos a trav\u00e9s de una solicitud [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/\" \/>\n<meta property=\"og:site_name\" content=\"SeguridadWordPress.es\" \/>\n<meta property=\"article:published_time\" content=\"2024-08-19T14:35:25+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/\",\"url\":\"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/\",\"name\":\"BP Profile Search &lt;= 5.7.5 - CSRF a XSS Reflejado - SeguridadWordPress.es\",\"isPartOf\":{\"@id\":\"http:\/\/127.0.0.1\/#website\"},\"datePublished\":\"2024-08-19T14:35:25+00:00\",\"dateModified\":\"2024-08-19T14:35:25+00:00\",\"author\":{\"@id\":\"\"},\"breadcrumb\":{\"@id\":\"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/127.0.0.1\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BP Profile Search &lt;= 5.7.5 &#8211; CSRF a XSS Reflejado\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/127.0.0.1\/#website\",\"url\":\"http:\/\/127.0.0.1\/\",\"name\":\"SeguridadWordPress.es\",\"description\":\"Recopilaci\u00f3n de vulnerabilidades WordPress.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/127.0.0.1\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BP Profile Search &lt;= 5.7.5 - CSRF a XSS Reflejado - SeguridadWordPress.es","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/","og_locale":"en_US","og_type":"article","og_title":"BP Profile Search &lt;= 5.7.5 - CSRF a XSS Reflejado - SeguridadWordPress.es","og_description":"El plugin BP Profile Search para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta, e incluyendo, la 5.7.5. Esto se debe a la falta o incorrecta validaci\u00f3n de nonce en las funciones bps_ajax_field_selector(), bps_ajax_template_options() y bps_ajax_field_row(). Esto permite a atacantes no autenticados inyectar scripts web maliciosos a trav\u00e9s de una solicitud [&hellip;]","og_url":"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/","og_site_name":"SeguridadWordPress.es","article_published_time":"2024-08-19T14:35:25+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/","url":"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/","name":"BP Profile Search &lt;= 5.7.5 - CSRF a XSS Reflejado - SeguridadWordPress.es","isPartOf":{"@id":"http:\/\/127.0.0.1\/#website"},"datePublished":"2024-08-19T14:35:25+00:00","dateModified":"2024-08-19T14:35:25+00:00","author":{"@id":""},"breadcrumb":{"@id":"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/127.0.0.1\/bp-profile-search-5-7-5-csrf-a-xss-reflejado\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/127.0.0.1\/"},{"@type":"ListItem","position":2,"name":"BP Profile Search &lt;= 5.7.5 &#8211; CSRF a XSS Reflejado"}]},{"@type":"WebSite","@id":"http:\/\/127.0.0.1\/#website","url":"http:\/\/127.0.0.1\/","name":"SeguridadWordPress.es","description":"Recopilaci\u00f3n de vulnerabilidades WordPress.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/127.0.0.1\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"amp_enabled":true,"_links":{"self":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/4523"}],"collection":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/comments?post=4523"}],"version-history":[{"count":0,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/4523\/revisions"}],"wp:attachment":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/media?parent=4523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/categories?post=4523"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/tags?post=4523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}