{"id":126102,"date":"2024-01-03T14:08:16","date_gmt":"2024-01-03T12:08:16","guid":{"rendered":"https:\/\/quondos.com\/mag\/?p=126102"},"modified":"2024-01-03T14:08:16","modified_gmt":"2024-01-03T12:08:16","slug":"vulnerabilidad-critica-en-el-plugin-de-wordpress-para-google-fonts","status":"publish","type":"post","link":"https:\/\/quondos.com\/mag\/vulnerabilidad-critica-en-el-plugin-de-wordpress-para-google-fonts\/","title":{"rendered":"Vulnerabilidad cr\u00edtica en el plugin de WordPress para Google Fonts"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"400\" src=\"https:\/\/quondos.com\/mag\/wp-content\/uploads\/2023\/05\/wordpress-6.2.1-la-lia-shortcodes.jpg\" alt=\"wordpress 6.2.1 la lia shortcodes\" class=\"wp-image-124496\" title=\"\" srcset=\"https:\/\/quondos.com\/mag\/wp-content\/uploads\/2023\/05\/wordpress-6.2.1-la-lia-shortcodes.jpg 800w, https:\/\/quondos.com\/mag\/wp-content\/uploads\/2023\/05\/wordpress-6.2.1-la-lia-shortcodes-300x150.jpg 300w, https:\/\/quondos.com\/mag\/wp-content\/uploads\/2023\/05\/wordpress-6.2.1-la-lia-shortcodes-768x384.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">\u00cdndice de contenidos<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Alternar tabla de contenidos\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/quondos.com\/mag\/vulnerabilidad-critica-en-el-plugin-de-wordpress-para-google-fonts\/#El_peligro_tras_el_plugin\" >El peligro tras el plugin<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/quondos.com\/mag\/vulnerabilidad-critica-en-el-plugin-de-wordpress-para-google-fonts\/#%C2%BFQue_es_el_Cross-Site_Scripting_XSS\" >\u00bfQu\u00e9 es el Cross-Site Scripting (XSS)?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/quondos.com\/mag\/vulnerabilidad-critica-en-el-plugin-de-wordpress-para-google-fonts\/#La_raiz_del_problema\" >La ra\u00edz del problema<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/quondos.com\/mag\/vulnerabilidad-critica-en-el-plugin-de-wordpress-para-google-fonts\/#%C2%BFQue_sigue\" >\u00bfQu\u00e9 sigue?<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"El_peligro_tras_el_plugin\"><\/span>El peligro tras el plugin<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>El plugin en cuesti\u00f3n, <b>OMGF | GDPR\/DSGVO Compliant<\/b>, es una herramienta popular para optimizar el uso de Google Fonts. Sin embargo, seg\u00fan los expertos, presenta una grave vulnerabilidad que permite a atacantes no autenticados borrar directorios y cargar scripts maliciosos.<\/p>\n\n<p>Esta <b>vulnerabilidad<\/b> es especialmente preocupante porque no requiere que el atacante est\u00e9 registrado en el sitio, lo que eleva el nivel de riesgo. Seg\u00fan la fuente, esta falla permite la eliminaci\u00f3n de directorios y la carga de ataques de <b>Cross-Site Scripting (XSS)<\/b>.<\/p>\n\n<h2><span class=\"ez-toc-section\" id=\"%C2%BFQue_es_el_Cross-Site_Scripting_XSS\"><\/span>\u00bfQu\u00e9 es el Cross-Site Scripting (XSS)?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>El XSS es un tipo de ataque donde se suben scripts maliciosos a un servidor web. Estos pueden atacar a los visitantes del sitio, accediendo a su informaci\u00f3n de sesi\u00f3n o cookies. Seg\u00fan los expertos, esto podr\u00eda permitir al atacante asumir el nivel de privilegio del usuario que visita el sitio.<\/p>\n\n<h2><span class=\"ez-toc-section\" id=\"La_raiz_del_problema\"><\/span>La ra\u00edz del problema<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>La causa de esta vulnerabilidad, identificada por los investigadores de Wordfence, es la falta de una <b>verificaci\u00f3n de capacidades<\/b>. Esto es esencial para determinar si un usuario tiene acceso a una funci\u00f3n espec\u00edfica del plugin, en este caso, una funci\u00f3n a nivel de administrador.<\/p>\n\n<p>Seg\u00fan una p\u00e1gina oficial de desarrolladores de WordPress, la verificaci\u00f3n de capacidades es crucial para asignar permisos espec\u00edficos a los usuarios o roles de usuario. Wordfence describe la vulnerabilidad como una modificaci\u00f3n de datos no autorizada y XSS almacenado debido a la falta de esta verificaci\u00f3n en la funci\u00f3n <b>update_settings()<\/b>.<\/p>\n\n<h2><span class=\"ez-toc-section\" id=\"%C2%BFQue_sigue\"><\/span>\u00bfQu\u00e9 sigue?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Wordfence se\u00f1ala que las actualizaciones anteriores intentaron cerrar esta brecha de seguridad, pero consideran que la versi\u00f3n <b>5.7.10<\/b> es la m\u00e1s segura del plugin. Si eres usuario de OMGF, es hora de actualizar y proteger tu sitio.<\/p>\n\n\n\n\n<p>Fuente:https:\/\/www.searchenginejournal.com\/wordpress-google-fonts-plugin-vulnerability-affects-up-to-300000-users\/504869<\/p>\n","protected":false},"excerpt":{"rendered":"<p>El peligro tras el plugin El plugin en cuesti\u00f3n, OMGF | GDPR\/DSGVO Compliant, es una herramienta popular para optimizar el &#8230; <\/p>\n<p class=\"read-more-container\"><a title=\"Vulnerabilidad cr\u00edtica en el plugin de WordPress para Google Fonts\" class=\"read-more button\" href=\"https:\/\/quondos.com\/mag\/vulnerabilidad-critica-en-el-plugin-de-wordpress-para-google-fonts\/#more-126102\" aria-label=\"Leer m\u00e1s sobre Vulnerabilidad cr\u00edtica en el plugin de WordPress para Google Fonts\">Leer m\u00e1s<\/a><\/p>\n","protected":false},"author":850,"featured_media":124496,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[163],"tags":[],"class_list":["post-126102","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-diseno-web","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","no-featured-image-padding"],"_links":{"self":[{"href":"https:\/\/quondos.com\/mag\/wp-json\/wp\/v2\/posts\/126102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quondos.com\/mag\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quondos.com\/mag\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quondos.com\/mag\/wp-json\/wp\/v2\/users\/850"}],"replies":[{"embeddable":true,"href":"https:\/\/quondos.com\/mag\/wp-json\/wp\/v2\/comments?post=126102"}],"version-history":[{"count":1,"href":"https:\/\/quondos.com\/mag\/wp-json\/wp\/v2\/posts\/126102\/revisions"}],"predecessor-version":[{"id":126103,"href":"https:\/\/quondos.com\/mag\/wp-json\/wp\/v2\/posts\/126102\/revisions\/126103"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quondos.com\/mag\/wp-json\/wp\/v2\/media\/124496"}],"wp:attachment":[{"href":"https:\/\/quondos.com\/mag\/wp-json\/wp\/v2\/media?parent=126102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quondos.com\/mag\/wp-json\/wp\/v2\/categories?post=126102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quondos.com\/mag\/wp-json\/wp\/v2\/tags?post=126102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}