{"id":47884,"date":"2026-05-20T14:55:46","date_gmt":"2026-05-20T07:55:46","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=47884"},"modified":"2026-05-20T14:55:46","modified_gmt":"2026-05-20T07:55:46","slug":"hon-1-trieu-website-wordpress-co-nguy-co-ro-ri-du-lieu-vi-lo-hong-trong-avada-builder","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/hon-1-trieu-website-wordpress-co-nguy-co-ro-ri-du-lieu-vi-lo-hong-trong-avada-builder\/","title":{"rendered":"H\u01a1n 1 tri\u1ec7u website WordPress c\u00f3 nguy c\u01a1 r\u00f2 r\u1ec9 d\u1eef li\u1ec7u v\u00ec l\u1ed7 h\u1ed5ng trong Avada Builder"},"content":{"rendered":"
M\u1ed9t lo\u1ea1t l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong plugin Avada Builder \u2013 c\u00f4ng c\u1ee5 x\u00e2y d\u1ef1ng giao di\u1ec7n ph\u1ed5 bi\u1ebfn tr\u00ean WordPress v\u1edbi h\u01a1n 1 tri\u1ec7u website \u0111ang s\u1eed d\u1ee5ng, l\u00e0m d\u1ea5y l\u00ean lo ng\u1ea1i v\u1ec1 nguy c\u01a1 r\u00f2 r\u1ec9 d\u1eef li\u1ec7u v\u00e0 x\u00e2m nh\u1eadp h\u1ec7 th\u1ed1ng tr\u00ean di\u1ec7n r\u1ed9ng.<\/b>
\n\u200b<\/div>\n
\n
\"Anh-whitehat-vn<\/div>\n<\/div>\n
\nHai l\u1ed7 h\u1ed5ng \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 c\u00f3 th\u1ec3 cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng \u0111\u1ecdc c\u00e1c t\u1ec7p nh\u1ea1y c\u1ea3m tr\u00ean m\u00e1y ch\u1ee7 v\u00e0 khai th\u00e1c c\u01a1 s\u1edf d\u1eef li\u1ec7u \u0111\u1ec3 \u0111\u00e1nh c\u1eafp th\u00f4ng tin ng\u01b0\u1eddi d\u00f9ng. C\u00e1c v\u1ea5n \u0111\u1ec1 b\u1ea3o m\u1eadt n\u00e0y \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n b\u1edfi chuy\u00ean gia Rafie Muhammad th\u00f4ng qua ch\u01b0\u01a1ng tr\u00ecnh s\u0103n l\u1ed7i c\u1ee7a Wordfence.<\/p>\n

L\u1ed7 h\u1ed5ng \u0111\u1ea7u ti\u00ean l\u00e0 CVE-2026-4782, \u1ea3nh h\u01b0\u1edfng t\u1edbi Avada Builder phi\u00ean b\u1ea3n 3.15.2 tr\u1edf v\u1ec1 tr\u01b0\u1edbc. \u0110\u00e2y l\u00e0 l\u1ed7i \u0111\u1ecdc t\u1ec7p t\u00f9y \u00fd, cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng c\u00f3 quy\u1ec1n th\u1ea5p nh\u01b0 subscriber truy c\u1eadp tr\u00e1i ph\u00e9p v\u00e0o c\u00e1c t\u1ec7p quan tr\u1ecdng tr\u00ean m\u00e1y ch\u1ee7. Nguy\u00ean nh\u00e2n xu\u1ea5t ph\u00e1t t\u1eeb vi\u1ec7c plugin x\u1eed l\u00fd kh\u00f4ng an to\u00e0n tham s\u1ed1 \u201ccustom_svg\u201d trong shortcode. Do thi\u1ebfu c\u01a1 ch\u1ebf ki\u1ec3m tra v\u00e0 x\u00e1c th\u1ef1c \u0111\u1ea7u v\u00e0o, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 thao t\u00fang ch\u1ee9c n\u0103ng t\u1ea3i t\u1ec7p \u0111\u1ec3 \u0111\u1ecdc d\u1eef li\u1ec7u t\u1eeb nh\u1eefng v\u1ecb tr\u00ed t\u00f9y \u00fd tr\u00ean h\u1ec7 th\u1ed1ng.<\/p>\n

\u0110\u00e1ng lo ngai, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 truy c\u1eadp t\u1ec7p wp-config.php, n\u01a1i l\u01b0u tr\u1eef th\u00f4ng tin k\u1ebft n\u1ed1i c\u01a1 s\u1edf d\u1eef li\u1ec7u, kh\u00f3a b\u1ea3o m\u1eadt v\u00e0 nhi\u1ec1u d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m kh\u00e1c c\u1ee7a website WordPress. D\u00f9 \u0111i\u1ec3m CVSS ch\u1ec9 \u0111\u01b0\u1ee3c 6,5 nh\u01b0ng l\u1ed7 h\u1ed5ng n\u00e0y v\u1eabn ti\u1ec1m \u1ea9n r\u1ee7i ro \u0111\u00e1ng k\u1ec3 v\u00ec y\u00eau c\u1ea7u khai th\u00e1c t\u01b0\u01a1ng \u0111\u1ed1i th\u1ea5p v\u00e0 c\u00f3 th\u1ec3 b\u1ecb l\u1ee3i d\u1ee5ng b\u1edfi c\u00e1c t\u00e0i kho\u1ea3n ph\u1ed5 th\u00f4ng \u0111\u00e3 b\u1ecb chi\u1ebfm quy\u1ec1n ho\u1eb7c \u0111\u0103ng k\u00fd tr\u00e1i ph\u00e9p.<\/p>\n

\u0110\u00e1ng ch\u00fa \u00fd h\u01a1n l\u00e0 l\u1ed7 h\u1ed5ng SQL Injection mang m\u00e3 CVE-2026-4798, \u1ea3nh h\u01b0\u1edfng t\u1edbi Avada Builder phi\u00ean b\u1ea3n 3.15.1 tr\u1edf v\u1ec1 tr\u01b0\u1edbc. L\u1ed7i n\u00e0y cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng ch\u01b0a x\u00e1c th\u1ef1c th\u1ef1c hi\u1ec7n t\u1ea5n c\u00f4ng SQL Injection d\u1ea1ng time-based th\u00f4ng qua tham s\u1ed1 \u201cproduct_order\u201d. Do plugin kh\u00f4ng l\u00e0m s\u1ea1ch truy v\u1ea5n SQL \u0111\u00fang c\u00e1ch, c\u00e1c c\u00e2u l\u1ec7nh \u0111\u1ed9c h\u1ea1i c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c ch\u00e8n tr\u1ef1c ti\u1ebfp v\u00e0o qu\u00e1 tr\u00ecnh x\u1eed l\u00fd c\u01a1 s\u1edf d\u1eef li\u1ec7u. Trong tr\u01b0\u1eddng h\u1ee3p khai th\u00e1c th\u00e0nh c\u00f4ng, d\u1eef li\u1ec7u ng\u01b0\u1eddi d\u00f9ng, email v\u00e0 hash m\u1eadt kh\u1ea9u \u0111\u1ec1u c\u00f3 nguy c\u01a1 b\u1ecb \u0111\u00e1nh c\u1eafp.<\/p>\n

\u0110i\u1ec3m nguy hi\u1ec3m c\u1ee7a l\u1ed7 h\u1ed5ng n\u1eb1m \u1edf ch\u1ed7 vi\u1ec7c khai th\u00e1c kh\u00f4ng t\u1ea1o ra ph\u1ea3n h\u1ed3i tr\u1ef1c ti\u1ebfp m\u00e0 s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt time-based SQL Injection v\u1edbi c\u00e1c h\u00e0m tr\u00ec ho\u00e3n nh\u01b0 SQL SLEEP \u0111\u1ec3 r\u00f2 r\u1ec9 d\u1eef li\u1ec7u t\u1eebng ph\u1ea7n. \u0110i\u1ec1u n\u00e0y khi\u1ebfn ho\u1ea1t \u0111\u1ed9ng t\u1ea5n c\u00f4ng kh\u00f3 b\u1ecb ph\u00e1t hi\u1ec7n h\u01a1n trong log h\u1ec7 th\u1ed1ng v\u00e0 c\u00f3 th\u1ec3 \u00e2m th\u1ea7m di\u1ec5n ra trong th\u1eddi gian d\u00e0i. Vi\u1ec7c khai th\u00e1c CVE-2026-4798 y\u00eau c\u1ea7u website t\u1eebng c\u00e0i \u0111\u1eb7t WooCommerce nh\u01b0ng sau \u0111\u00f3 \u0111\u00e3 v\u00f4 hi\u1ec7u h\u00f3a plugin n\u00e0y. Tuy nhi\u00ean, \u0111\u00e2y kh\u00f4ng ph\u1ea3i \u0111i\u1ec1u ki\u1ec7n hi\u1ebfm g\u1eb7p trong th\u1ef1c t\u1ebf, \u0111\u1eb7c bi\u1ec7t v\u1edbi c\u00e1c website th\u01b0\u01a1ng m\u1ea1i \u0111i\u1ec7n t\u1eed \u0111\u00e3 thay \u0111\u1ed5i m\u00f4 h\u00ecnh v\u1eadn h\u00e0nh ho\u1eb7c ng\u1eebng b\u00e1n h\u00e0ng.<\/p>\n

Nh\u00f3m ph\u00e1t tri\u1ec3n Avada \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n v\u00e1 theo hai giai \u0111o\u1ea1n. Phi\u00ean b\u1ea3n 3.15.2 ch\u1ec9 x\u1eed l\u00fd m\u1ed9t ph\u1ea7n v\u1ea5n \u0111\u1ec1, trong khi b\u1ea3n v\u00e1 ho\u00e0n ch\u1ec9nh \u0111\u01b0\u1ee3c ph\u00e1t h\u00e0nh trong Avada Builder 3.15.3 v\u00e0o ng\u00e0y 12\/5\/2026.<\/p>\n

C\u00e1c qu\u1ea3n tr\u1ecb vi\u00ean WordPress \u0111\u01b0\u1ee3c khuy\u1ebfn c\u00e1o c\u1eadp nh\u1eadt plugin ngay l\u1eadp t\u1ee9c, \u0111\u1ed3ng th\u1eddi r\u00e0 so\u00e1t l\u1ea1i t\u00e0i kho\u1ea3n ng\u01b0\u1eddi d\u00f9ng c\u00f3 quy\u1ec1n th\u1ea5p, ki\u1ec3m tra log truy c\u1eadp b\u1ea5t th\u01b0\u1eddng v\u00e0 tri\u1ec3n khai c\u00e1c l\u1edbp b\u1ea3o v\u1ec7 b\u1ed5 sung nh\u01b0 t\u01b0\u1eddng l\u1eeda \u1ee9ng d\u1ee5ng web.<\/p>\n

V\u1edbi h\u01a1n 1 tri\u1ec7u website s\u1eed d\u1ee5ng Avada Builder, ch\u1ec9 c\u1ea7n m\u1ed9t l\u1ed7i ki\u1ec3m tra \u0111\u1ea7u v\u00e0o ho\u1eb7c x\u1eed l\u00fd truy v\u1ea5n kh\u00f4ng an to\u00e0n c\u0169ng \u0111\u1ee7 \u0111\u1ec3 t\u1ea1o ra b\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng c\u1ef1c l\u1edbn tr\u00ean Internet. Nguy hi\u1ec3m h\u01a1n, c\u00e1c nh\u00f3m t\u1ea5n c\u00f4ng hi\u1ec7n g\u1ea7n nh\u01b0 \u0111\u00e3 t\u1ef1 \u0111\u1ed9ng h\u00f3a ho\u00e0n to\u00e0n qu\u00e1 tr\u00ecnh khai th\u00e1c. Ngay sau khi th\u00f4ng tin l\u1ed7 h\u1ed5ng \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1, c\u00e1c h\u1ec7 th\u1ed1ng qu\u00e9t c\u00f3 th\u1ec3 l\u1eadp t\u1ee9c r\u00e0 t\u00ecm website ch\u01b0a c\u1eadp nh\u1eadt b\u1ea3n v\u00e1 \u0111\u1ec3 khai th\u00e1c h\u00e0ng lo\u1ea1t. \u0110i\u1ec1u \u0111\u00f3 khi\u1ebfn vi\u1ec7c ch\u1eadm c\u1eadp nh\u1eadt plugin kh\u00f4ng c\u00f2n l\u00e0 r\u1ee7i ro l\u00fd thuy\u1ebft m\u00e0 c\u00f3 th\u1ec3 nhanh ch\u00f3ng tr\u1edf th\u00e0nh \u0111i\u1ec3m kh\u1edfi \u0111\u1ea7u cho c\u00e1c v\u1ee5 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u ho\u1eb7c chi\u1ebfm quy\u1ec1n website.\u200b<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

M\u1ed9t lo\u1ea1t l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong plugin Avada Builder \u2013 c\u00f4ng c\u1ee5 x\u00e2y d\u1ef1ng giao di\u1ec7n ph\u1ed5 bi\u1ebfn tr\u00ean WordPress v\u1edbi h\u01a1n 1 tri\u1ec7u website \u0111ang s\u1eed d\u1ee5ng, l\u00e0m d\u1ea5y l\u00ean lo ng\u1ea1i v\u1ec1 nguy c\u01a1 r\u00f2 r\u1ec9 d\u1eef li\u1ec7u v\u00e0 x\u00e2m nh\u1eadp h\u1ec7 th\u1ed1ng tr\u00ean di\u1ec7n r\u1ed9ng. \u200b Hai […]<\/p>\n","protected":false},"author":20,"featured_media":47885,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[3,24,35],"tags":[],"class_list":["post-47884","post","type-post","status-publish","format-standard","has-post-thumbnail","category-canh-bao-khuyen-nghi","category-tin-noi-bat","category-tin-tuc-su-kien"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47884","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=47884"}],"version-history":[{"count":1,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47884\/revisions"}],"predecessor-version":[{"id":47886,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47884\/revisions\/47886"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/47885"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=47884"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=47884"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=47884"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}