When Results of a Security Review Are Incorrectly Cited As Evidence a WordPress Plugin Contains a Vulnerability
As we have been working on improving our new tool for checking on the security of WordPress plugins, one of our focuses has been on making sure the results are useful (something that we have will have some news on once the developers of a couple of plugins that it has identified security issue in, have had a chance to fix them) and another has been on making sure that we are not causing plugin developers to waste their time dealing with inaccurate claims about the security of their plugins. That latter item is quite hard, as we have found in the extensive monitoring we do of claims of vulnerabilities in WordPress plugins for our service that often you have people making claims that have little to do with the underlying information they are citing.
As an example of what goes on, let’s take a claim that we recently looked at involving the plugin Really Simple CAPTCHA. A thread was started on the wordpress.org forum for the plugin with the title “High risk vulnerabilities detected”, which stated that:
Hi,
I’m getting alert message that there are “High risk vulnerabilities detected” at this plugin pointing SQL injection Possible. Please have a look and prevent from it.
The developer responded:
Who detected it?
As you see in its source code, it has no space to make any SQL Injection possible.
We reviewed the code and confirmed that it doesn’t make any connection to the database, much less has SQL queries that would possibly be susceptible to SQL injection.
Instead of just blowing the person off at that point, the developer had asked them for more information and the original poster responded:
Hi,
Thanks for your immediate response, i have added the link of screenshot.
That link goes to a page with an image with the results of a series of scans, including the following one:
Those results are from a scan from outside of the website from what looks to be a scan by Beyond Security.
We are not familiar with results from Beyond Security, so things may be different with their scanner, but our experience with other scanners of this type is that they can produce quite bad false positives in terms of claimed SQL injection vulnerabilities, so it wouldn’t be clear just based on the results there is there was truly that type of issue at all.
What is more important in the context of this post, is that the results don’t make any claim that a particular plugin was the cause of this. Since the scan does not involve scanning the underlying files it wouldn’t even be possible for it to tell that. This plugin works with other plugins, not as standalone item, so we don’t how the person making the claim would have decided it must be Really Simple CAPTCHA that caused this.
Taking a close look at the “Complete Attack”, at the end is
&g-recaptcha-response=
. Perhaps the person saw that and assumed that the vulnerability had something to do with captchas, even though it clearly saysyour-need
is the “vulnerable parameter.”