21 Mar

VulDB Includes False Report of Vulnerability in WordPress Plugin

One of the differences when you get data on vulnerabilities in WordPress plugins you use from us instead of other providers is that we actually make sure that claimed vulnerabilities exist. Being warned about a vulnerability that doesn’t exist obviously isn’t useful, especially if you are told that vulnerability is in the current version of the plugin, which is often the case.

Yesterday we looked an example of just such a situation with the plugin WP Markdown Editor. We mentioned how the WP Scan Vulnerability database, which is the true source of plugin vulnerability data for almost any service or plugin other than ours, includes this vulnerability in their data. They are not alone, as the website VulDB, vuldb.com, also includes it.

That website describes itself as follows:

VulDB is the number 1 vulnerability database documenting more than 96000 vulnerabilities since 1979. A team of experts is looking for newly disclosed vulnerabilities on a daily basis. After the analysis of the technical capabilities the issue is documented in the database. This kind makes it possible for administrators and security experts to deal with the fast moving vulnerability market.

Seeing as the vulnerability doesn’t exist, any analysis they did clearly wasn’t thorough, but their description make it sound like there wasn’t really any analysis done at all (emphasis ours):

A vulnerability was found in WP Markdown Editor Plugin 2.0.3 on WordPress and classified as problematic. This issue affects an unknown function of the component IMG Element Handler. The manipulation with an unknown input leads to a cross site scripting vulnerability (stored). Using CWE to declare the problem leads to CWE-79. Impacted is integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.

The weakness was disclosed 03/10/2017. The identification of this vulnerability is CVE-2017-6804 since 03/10/2017. The attack may be initiated remotely. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 03/10/2017).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

You don’t even need to take our word that the vulnerability doesn’t exist as what they cite as their source states that:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.