11 Jan

Not Really a WordPress Plugin Vulnerability, Week of January 11

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross-Site Scripting (XSS) in Google XML Sitemaps

The report of a claimed cross-site scripting (XSS) vulnerability in Google XML Sitemaps states:

In the case where multiple administrators manage the WordPress site with the affected plugin, an administrator with malicious intent may embed an arbitrary script into the plugin settings page. The embedded script may be executed when another administrator logs in and browses the page.

If you have an Administrator with malicious intent the security of plugins really isn’t going to matter since among other things the Administrator can install arbitrary code on the website. What might be of concern is if there was a lack of protection cross-site request forgery (CSRF), since that could cause an Administrator to take an action they didn’t intend, but that wasn’t the case with the relevant functionality.