In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.
CSRF / Shell Upload vulnerability in Category and Page Icons
The claimed report of a CSRF/ shell upload vulnerability in the plugin Category and Page Icons is a mess. The report looks like it was copied from a real report of a restricted file upload vulnerability in the plugin from years ago and then additional information that isn’t accurate was added. If you look at the most recent version of the plugin you will find that what is claimed in the report wouldn’t even be possible with that version as the proof of concept has you sending a request to a file at /wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php, but the first line of that file restricts you from sending a direct request to the file:
if ( ! defined( 'ABSPATH' ) ) die('<h3>Direct access to this file do not allow!</h3>');