As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well we post our findings on them.
On Saturday a report of a file upload vulnerability in the FormCraft – Form Builder plugin was added to milw00rm. Right off the bat something looked wrong with this report as the URL for the plugin is https://wordpress.org/plugins/formcraft-form-builder/, but the path listed for the exploit would be a for plugin named “formcraft” instead of “formcraft-form-builder”:
Just to be sure we checked and neither the current version, 1.0.5, or the prior versions of the plugin contain the directory “file-upload” and the file upload.php does not exist in another location in the plugin, so the plugin could not be vulnerable to the claimed vulnerability.