FindAll Listing <= 1.0.5 - 未认证权限提升

该漏洞允许未经身份验证的攻击者在注册过程中指定 'administrator' 角色，从而获得 WordPress 站点的管理员权限。攻击者可以完全控制受影响的站点，包括修改内容、安装恶意插件、窃取敏感数据，甚至完全接管服务器。由于该漏洞需要 FindAll Membership 插件同时激活才能被利用，因此攻击者需要先确保目标站点安装并启用了这两个插件。如果攻击者成功获取管理员权限，他们可以执行任何操作，对站点和用户数据造成严重损害。

WordPress sites utilizing both the FindAll Listing and FindAll Membership plugins, particularly those with legacy configurations or those that haven't implemented robust user access controls, are at significant risk. Shared hosting environments where multiple WordPress sites share the same server resources are also vulnerable, as a compromise of one site could potentially lead to the compromise of others.

• wordpress / plugin: Use wp-cli plugin update to check the installed version of FindAll Listing. • wordpress / plugin: Check the wp-config.php file for any unusual configurations related to user roles or registration parameters. • wordpress / plugin: Search plugin files for the findalllistinguserregistrationadditional_params function and its usage. • generic web: Monitor WordPress access logs for POST requests to the user registration endpoint with suspicious parameters, particularly those attempting to set the user role to 'administrator'.

grep -i 'administrator' /var/log/apache2/access.log | grep 'wp-login.php'

1. 2025-11-27Disclosure

   disclosure

1. 已保留2025-11-22
2. 发布日期2025-11-27
3. 修改日期2026-04-08
4. EPSS 更新日期2026-03-23

最有效的缓解措施是立即将 FindAll Listing 插件升级至 1.1 或更高版本。如果无法立即升级，建议禁用 FindAll Membership 插件，以阻止攻击者利用该漏洞。此外，定期审查 WordPress 插件的权限设置，确保用户角色分配符合最小权限原则。监控 WordPress 站点的用户注册活动，及时发现并调查可疑行为。使用 WAF 或安全插件可以帮助检测和阻止恶意注册尝试。