The last few days we have had a bit of traffic to our website from a page on the website of the Common Vulnerabilities and Exposures (CVE), which aims to be “a list of common identifiers for publicly known cybersecurity vulnerabilities” and is “is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security“. The page that traffic is coming from is for a claimed vulnerability in WordPress, described as follows:
WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. .
There are not any more details to indicate if this refers to something that has been fixed or even enough to confirm if it truly has existed. Strangely a post on a reflected cross-site scripting (XSS) vulnerability in the plugin WP Statistics that we released in April of last year is the only reference:
What connection that post has with that claimed vulnerability is a mystery to us. One possibility is that someone just listed it since it also is a vulnerability of the same type and related to WordPress.
That isn’t the only problematic recent entry.
Earlier today we discussed how other data sources on vulnerabilities in WordPress plugins have incorrectly labeled that a vulnerability in the plugin WordPress Comments Import & Export has been fixed despite it still existing in the current version. While the CVE entry for that vulnerability doesn’t specifically say it has been fixed it states “The plugin “WordPress Comments Import & Export” for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.”
The references listed for that seem problematic in a couple of ways:
First they provide a link to the changelog of the plugin as confirmation. Based on the description of what confirmation means it appears that is only intended to confirm that vulnerability existed, not that it has been fixed. The problem with that, which should be apparent to anyone that deals with claimed vulnerabilities, is that developers do not always have a good understanding of security and we have seen plenty of situations where a developer repeated a claim that a vulnerability had existed in their plugin that hadn’t existed (at the same time developer often don’t acknowledge that there had been vulnerabilities that had existed). In this case while the vulnerability still exists the changelog for version 2.0.5 reads “CSV Injection was fixed – reported by one of our user (Bhushan B. Patil) CVE-2018-11526”. That changelog entry was added after we had notified them that the vulnerability had not in fact been fixed in that version.
The other is unexplained link to the WPScan Vulnerability Database entry for this vulnerability, which doesn’t offer any unique information and actually falsely claims that the vulnerability was fixed in an earlier version than anyone else is claiming:
Considering that database has a commercial service it seems inappropriate that a government sponsored entity is being used to provide it free advertising like that.