As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them. The data on these false reports is also included in our service’s data.
As with the other false report of a claimed cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability from the same reporter, the claim of one in Easy Facebook Like Box – Custom Facebook Feed – Auto PopUp version 4.3.0 seems to be based on a lack of understanding of what this type of vulnerability actually involves.
Here is the beginning proof of concept included in the report:
<form method="post" action="http://localhost/wp/wp-admin/options.php"> Like box pup up settings </br> <input type='hidden' name='option_page' value='efbl_settings_display_options' /> <input type="hidden" name="action" value="update" /> <input type="hidden" id="_wpnonce" name="_wpnonce" value="aa27b52873" />
The last line you see there looks to be a valid nonce, which is what is used in WordPress to protect against cross-site request forgery. Just to be sure we checked and found that when submitting the request that is supposed to be vulnerable, with either no nonce or and invalid one the plugin properly recognizes the situation and does not permit the request. Therefore there is no vulnerability, as the vulnerability only exists if the cross-site request forgery issue exists.