Yesterday we discussed a couple of recent instances where WordPress plugins were reported to have vulnerabilities that were fixed by discovered and those vulnerabilities were added to WPScan Vulnerability Database with the vulnerabilities listed as be fixed. But in both cases when we actually tested out the vulnerabilities as part of our adding them to our own vulnerability data, we found that the vulnerabilities had not actually been fixed. Those instances were a reminder of the need to actual check if vulnerabilities have actually been fixed (those two instances are by no means the only times that has happened) and reminder that isn’t something that happens with data included in the WPScan Vulnerability Database, which is used in a number of services and plugins. It turns out they were not the only ones that incorrectly listed one of the vulnerabilities as being fixed.
Last month we looked at a new source of vulnerability data in WordPress plugins, the plugin CWIS Antivirus Scanner, and found that they were including false reports of vulnerabilities in plugins in their data. Just as we came across it the first time, through our monitoring for updates to plugins that might be related to a security fix, a more recent update for the plugin popped up with that and one of the new listings was:
2016-11-22 * Check Email [version = 0.3] XSS : http://www.exploitalert.com/view-details.html?id=25359
As we mentioned in the previous post while the vulnerability in the Check Email plugin was listed as being fixed in the version after 0.3, 0.5, it was until two more releases (and our helping the developer) that it was actually fixed in 0.5.2. If they had tested out the vulnerability the would have also noticed it hadn’t been fixed, but clearly they didn’t. So if you use the CWIS Antivirus Scanner to warn you about plugin vulnerabilities you will need to test out any vulnerabilities in the plugins you use to make sure they are actually fixed, otherwise might still be vulnerable (or you could use our service, since we actually do that testing in the first place).
That same release of CWIS Antivirus Scanner also continued with the adding of vulnerabilities that don’t actually exist. Two of the other entries were as follows:
2016-11-22 * MailChimp [version = 4.0.7] CSRF/XSS : http://www.exploitalert.com/view-details.html?id=25361
2016-11-22 * Easy Facebook Like Box [version = 4.3.0] CSRF/XSS : http://www.exploitalert.com/view-details.html?id=25351
In the case of both vulnerabilities just a quick glance by someone knowledgeable about vulnerabilities in WordPress plugins would likely been enough to think that they were false, since the proof of concept for exploiting them seemed to show that the protection against the vulnerability actually existed. When we tested out each of them we found the protection was properly functioning, so neither of the claimed vulnerabilities actually existed.
Including the false report of a vulnerability in the Easy Facebook Like plugin is more problematic, as CWIS Antivirus Scanner lists it as being the current version of the plugin. The plugin has 90,000+ active installs according to wordpress.org, so that is lot of webmasters that could be mislead to think their website is currently insecure. MailChimp for WordPress has 600,000+ active installs , so even though they are not listing the current as being vulnerable, a lot of people could think there website had a vulnerability in the past, which it didn’t.