05 Oct

Not Really a WordPress Plugin Vulnerability – Week of October 5, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Arbitrary File Upload Vulnerability in Wp-Insert

If there really was an unfixed arbitrary file upload upload vulnerability in a WordPress plugin with 30,000+ active installations, as was claim to be the case with a report of a vulnerability in the plugin Wp-Insert, that would be a big deal since it would be basically guaranteed to be exploited. But it isn’t true.

The big red flag that this might not be true from the report is that they reporter was listing a website impacted. What we have often found is that people will find a website running outdated software and for who knows what reason assume it is running the latest version. We have often seen this with software that is easily downloaded, so the person behind the report could have easily checked things out, but didn’t. The claimed vulnerable files in this case are supposed to be in the directory /fckeditor/, but the only directory in the current version of the plugin is /includes/. Looking at the readme.txt on the website listed in the report, the version of the plugin on that website looks to be 1.7.3, which was superseded over 7 years ago. The next version 1.7.4 was the last version to contain the /fckeditor/ directory.

In looking at version 1.7.3 we found the file upload capability mentioned in the report didn’t work.

According to the developer of the plugin they tried to make it clear that their claim was incorrect to the person behind the report, but it didn’t stop the release of that false report.

Username Disclosure Vulnerability in Breadcrumb NavXT

With a claimed username disclosure vulnerability in Breadcrumb NavXT the reason it is not really a vulnerability is that you can do the equivalent through WordPress as well and with WordPress usernames are not intended to be private.