31 Aug

Not Really a WordPress Plugin Vulnerability – Week of August 31, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross-Site Scripting (XSS) Vulnerabilities in Jibu Pro and Quizlord

Nearly identical reports of claimed cross-site scripting (XSS) vulnerabilities in Jibu Pro and Quizlord were released this week by the same person. In both cases these are not really vulnerabilities because the only users that would have the capability to take the actions listed would normally have the unfiltered_html capability, which allows them to do the equivalent of cross-site scripting (XSS). That capability is something that normally only Editor and Administrator-level users have. In the case of Jibu Pro, only those types of users could take the actions listed as the relevant page is restricted those with the delete_others_posts capability, which normally also only is give to those user roles. For Quizlord, only Administrator-level users can take the actions as they relevant page is restricted to users with the manage_options capability, which is normally only only give to Administrator-level users and if other users are given that capability they could normally create Administrator-level users through what they are permitted to do with that capability.

Leave a Reply

Your email address will not be published. Required fields are marked *