01 Feb

Not Really a WordPress Plugin Vulnerability, Week of February 1

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

SQL Injection Vulnerability in Add Code To Head, All-in-One WP Migration, Diamond MultiSite Widgets, Smush, and Yeloni Exit Popup

Related reports of SQL injection vulnerabilities in Add Code To Head, All-in-One WP MigrationDiamond MultiSite WidgetsSmush, and Yeloni Exit Popup appears to come from someone that has no idea what a SQL injection vulnerability is. As an example, take the plugin Add Code To Head, where they claim that there is this vulnerability in the file add-code-to-head.php despite there being no SQL statements in that file and the GET parameter “id” that is supposed to be utilized as part of this, isn’t used. What they are claiming proves that there is an issue is the following, which they refer to as a “SQL Database Error”:

Fatal error: Uncaught Error: Call to undefined function wp_die() in
/uninstall.php:9 Stack trace: #0 {main} thrown in /home/tramhaltevenlo/public_html
/wp-content/plugins/upsite_analytics_plugin/uninstall.php on line 9

That is actually an error indicating that a function doesn’t exist, which occurs because the file is not intended to be accessed directly and the code is trying to access a function that would exist if that file was loaded by WordPress. That type of error message would not normally be shown due to the display of errors being disabled by default, but if that were an issue, it would impact the core WordPress software as well.