As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.
If you are going to promote your “web application security scanner” as being “False positive free” as Netsparker does, it would probably be a good not to release advisories for vulnerabilities that don’t actually exist, using data from that tool. But that is what Netsparker did with several recent advisories for WordPress plugins, including a claim of a reflected cross-site scripting (XSS) vulnerability in WP-Polls.
Very little information was provided with the advisory, so to get a better idea of what was going on, we looked at changes made in version 2.73.1, which was supposed to have fixed this.
In the file /polls-options.php, the code that brings the POST input “poll_bar_style”, which was supposed to be the vulnerable input, in to the plugin has been changed.
It looks like this in 2.73:
$poll_bar_style = strip_tags(trim($_POST['poll_bar_style']));
And this in 2.73.1
$poll_bar_style = isset( $_POST['poll_bar_style'] ) && in_array( $_POST['poll_bar_style'], array_merge( array_keys( $poll_bars ), array( 'use_css' ) ) ) ? $_POST['poll_bar_style'] : 'default';
So the code has been changed to restrict what can be set at the value, the previous code had the possibility of leading to reflected XSS depending on how the rest of the code works.
Looking up just one line in the code though shows that their is no reflected XSS possible though, because in 2.73, which was supposed to be vulnerable, you need to provide a valid nonce with the request that would lead to the possibility of reflected XSS:
Since an attacker would not have access to a valid nonce for someone else, there is no possibility of causing someone else to send a valid request where the POST input “poll_bar_style” is displayed, so there is no reflected cross-site scripting (XSS) vulnerability. Restricting what can be input for the POST input “poll_bar_style”, as was done by the plugin’s developer in 2.73.1, is still a good idea as it provides extra protection against the possibly of some future issue.