{ "id": 5246, "date": "2025-12-10T08:33:22", "date_gmt": "2025-12-10T07:33:22", "guid": { "rendered": "https:\/\/wpmastertoolkit.com\/?p=5246" }, "modified": "2025-12-10T08:33:25", "modified_gmt": "2025-12-10T07:33:25", "slug": "mise-a-jour-de-securite-cve-2025-14166-wpmastertoolkit-2-13-1", "status": "publish", "type": "post", "link": "https:\/\/wpmastertoolkit.com\/fr\/mise-a-jour-de-securite-cve-2025-14166-wpmastertoolkit-2-13-1\/", "title": { "rendered": "Mise \u00e0 jour de s\u00e9curit\u00e9 (CVE-2025-14166) : WPMasterToolKit 2.13.1" }, "content": { "rendered": "

Suite \u00e0 un signalement du WordPress Plugins Team<\/strong> et des chercheurs de Wordfence<\/strong> (CVE-2025-14166), une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 identifi\u00e9e dans le module Code Snippets<\/strong> de WPMasterToolKit (versions \u2264 2.13.0).<\/p>\n\n\n\n

Ce module permettait aux utilisateurs avec un r\u00f4le Contributor<\/strong> (et sup\u00e9rieur) d\u2019ajouter et d\u2019ex\u00e9cuter du code PHP, menant potentiellement \u00e0 une \u00e9l\u00e9vation de privil\u00e8ges.
\u26a0\ufe0f Cela pouvait \u00eatre exploit\u00e9 uniquement si<\/strong> le module Code Snippets avait \u00e9t\u00e9 activ\u00e9 au pr\u00e9alable par un administrateur et qu’il avait d\u00e9j\u00e0 un acc\u00e8s Contributor<\/strong> ou sup\u00e9rieur.<\/p>\n\n\n\n

\u2714\ufe0f Correctif apport\u00e9 dans la version 2.13.1<\/h2>\n\n\n\n

Pour \u00e9liminer tout risque :<\/p>\n\n\n\n

    \n
  • L\u2019acc\u00e8s au module Code Snippets est d\u00e9sormais strictement r\u00e9serv\u00e9 aux Administrateurs<\/strong><\/li>\n\n\n\n
  • Les capacit\u00e9s WordPress ont \u00e9t\u00e9 revues afin de forcer la permission manage_options<\/code><\/strong> sur toutes les actions li\u00e9es aux snippets<\/li>\n<\/ul>\n\n\n\n

    Modification impl\u00e9ment\u00e9e :<\/p>\n\n\n\n

    'capability_type'       => 'page',\n'capabilities'          => array(\n    'edit_post'          => 'manage_options',\n    'read_post'          => 'manage_options',\n    'delete_post'        => 'manage_options',\n    'edit_posts'         => 'manage_options',\n    'edit_others_posts'  => 'manage_options',\n    'publish_posts'      => 'manage_options',\n    'read_private_posts' => 'manage_options',\n),\n<\/code><\/pre>\n\n\n\n
    \ud83d\udd0e V\u00e9rifications compl\u00e9mentaires en cours<\/h2>\n\n\n\n
    Conform\u00e9ment aux exigences de WordPress.org :<\/p>\n\n\n\n
      \n
    • Un audit complet des permissions est en cours sur l\u2019ensemble des modules<\/li>\n\n\n\n
    • Notre code subira un Plugin Check<\/strong> complet afin d\u2019assurer une conformit\u00e9 maximale aux normes de s\u00e9curit\u00e9 et de d\u00e9veloppement WordPress<\/li>\n<\/ul>\n\n\n\n
      \ud83d\udee1\ufe0f Ce que vous devez faire<\/h2>\n\n\n\n
      Si vous utilisez WPMasterToolKit :<\/p>\n\n\n\n
      \u2714\ufe0f Mettez votre plugin \u00e0 jour en 2.13.1 ou sup\u00e9rieur<\/strong>
      \u26a0\ufe0f Si le module Code Snippets \u00e9tait activ\u00e9, v\u00e9rifiez qu\u2019aucun snippet suspect n\u2019a \u00e9t\u00e9 ajout\u00e9 par un utilisateur non-administrateur.<\/p>\n\n\n\n
      \ud83d\ude4f Merci \u00e0 la communaut\u00e9 de s\u00e9curit\u00e9<\/h2>\n\n\n\n
      Nous tenons \u00e0 remercier :<\/p>\n\n\n\n
        \n
      • Les \u00e9quipes de WordPress.org Plugins Team<\/li>\n\n\n\n
      • Les chercheurs de Wordfence ayant identifi\u00e9 et document\u00e9 la faille<\/li>\n<\/ul>\n\n\n\n
        Notre priorit\u00e9 est et restera la s\u00e9curit\u00e9<\/strong> des sites WordPress utilisant WPMasterToolKit.<\/p>\n\n\n\n
        \ud83d\udc4b Une question, un doute, un signalement s\u00e9curit\u00e9 ?
        Notre \u00e9quipe reste disponible via le support WordPress.org ou notre site officiel.<\/p>\n\n\n\n
        Restons vigilants, restons s\u00e9curis\u00e9s. \ud83d\udd12\ud83d\ude80<\/p>",
        "protected": false
    },
    "excerpt": {
        "rendered": "
        Suite \u00e0 un signalement du WordPress Plugins Team et des chercheurs de Wordfence (CVE-2025-14166), une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 identifi\u00e9e dans le module Code Snippets de WPMasterToolKit (versions \u2264 2.13.0). Ce module permettait aux utilisateurs avec un r\u00f4le Contributor (et sup\u00e9rieur) d\u2019ajouter et d\u2019ex\u00e9cuter du code PHP, menant potentiellement \u00e0 une \u00e9l\u00e9vation de privil\u00e8ges.\u26a0\ufe0f Cela pouvait […]<\/p>",
        "protected": false
    },
    "author": 1,
    "featured_media": 0,
    "comment_status": "closed",
    "ping_status": "closed",
    "sticky": false,
    "template": "",
    "format": "standard",
    "meta": {
        "_acf_changed": false,
        "_seopress_robots_primary_cat": "",
        "_seopress_titles_title": "",
        "_seopress_titles_desc": "",
        "_seopress_robots_index": "",
        "_surecart_dashboard_logo_width": "180px",
        "_surecart_dashboard_show_logo": true,
        "_surecart_dashboard_navigation_orders": true,
        "_surecart_dashboard_navigation_invoices": true,
        "_surecart_dashboard_navigation_subscriptions": true,
        "_surecart_dashboard_navigation_downloads": true,
        "_surecart_dashboard_navigation_billing": true,
        "_surecart_dashboard_navigation_account": true,
        "footnotes": ""
    },
    "categories": [
        1
    ],
    "tags": [],
    "class_list": [
        "post-5246",
        "post",
        "type-post",
        "status-publish",
        "format-standard",
        "hentry",
        "category-non-classe"
    ],
    "acf": [],
    "_links": {
        "self": [
            {
                "href": "https:\/\/wpmastertoolkit.com\/fr\/wp-json\/wp\/v2\/posts\/5246",
                "targetHints": {
                    "allow": [
                        "GET"
                    ]
                }
            }
        ],
        "collection": [
            {
                "href": "https:\/\/wpmastertoolkit.com\/fr\/wp-json\/wp\/v2\/posts"
            }
        ],
        "about": [
            {
                "href": "https:\/\/wpmastertoolkit.com\/fr\/wp-json\/wp\/v2\/types\/post"
            }
        ],
        "author": [
            {
                "embeddable": true,
                "href": "https:\/\/wpmastertoolkit.com\/fr\/wp-json\/wp\/v2\/users\/1"
            }
        ],
        "replies": [
            {
                "embeddable": true,
                "href": "https:\/\/wpmastertoolkit.com\/fr\/wp-json\/wp\/v2\/comments?post=5246"
            }
        ],
        "version-history": [
            {
                "count": 2,
                "href": "https:\/\/wpmastertoolkit.com\/fr\/wp-json\/wp\/v2\/posts\/5246\/revisions"
            }
        ],
        "predecessor-version": [
            {
                "id": 5248,
                "href": "https:\/\/wpmastertoolkit.com\/fr\/wp-json\/wp\/v2\/posts\/5246\/revisions\/5248"
            }
        ],
        "wp:attachment": [
            {
                "href": "https:\/\/wpmastertoolkit.com\/fr\/wp-json\/wp\/v2\/media?parent=5246"
            }
        ],
        "wp:term": [
            {
                "taxonomy": "category",
                "embeddable": true,
                "href": "https:\/\/wpmastertoolkit.com\/fr\/wp-json\/wp\/v2\/categories?post=5246"
            },
            {
                "taxonomy": "post_tag",
                "embeddable": true,
                "href": "https:\/\/wpmastertoolkit.com\/fr\/wp-json\/wp\/v2\/tags?post=5246"
            }
        ],
        "curies": [
            {
                "name": "wp",
                "href": "https:\/\/api.w.org\/{rel}",
                "templated": true
            }
        ]
    }
}