23 Nov

Not Really a WordPress Plugin Vulnerability – Week of November 23, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

SQL Injection Vulnerability in Zotpress

Earlier this week we had a series of requests that look to be trying to exploit a vulnerability in the plugin Zotpress in the file zotpress.rss.php. We didn’t have any vulnerabilities for that plugin in our data set and the most recent version of the plugin didn’t contain that file. In then looking into this we found that the requests matched a report of a claimed SQL injection vulnerability from over 7 years ago. In looking into this we found that the claimed vulnerability wasn’t really one as it is stated that “magic_quotes has to be turned off” for it to work, but that is always on in WordPress even if otherwise disabled.