22 Mar

Not Really a WordPress Plugin Vulnerability, Week of March 22

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Stored XSS and Password Viewing in Easy WP SMTP

In a reply in a topic about the vulnerability that was being exploited this week in Easy WP SMTP, which was subsequently deleted (as were numerous other replies), someone asked if the vulnerabilities that a report claimed existed in the plugin had been fixed. That report is nearly two years old, but we are always looking to have our data be more complete even if involves adding something fixed long ago. But what we found is that there really wasn’t a vulnerability as the person making the claim seemed to not have a great understanding of the WordPress security model.

The first claimed vulnerability isn’t really one because the underlying claim is that a user with the “manage_options” capability, so normally only an Administrator, would intentionally place malicious JavaScript code in the plugin’s settings, referred to as persistent (stored) cross-site scripting (XSS). Not only is an Administrator normally allowed to do the equivalent of XSS due to having the “unfiltered_html” capability, but they also normally could edit the plugin to remove any security restrictions.

The same type of issue applies for the second issue, which is that the SMTP password is viewable by Administrators, but Administrators would normally be able to access any data stored on the website’s database even if it isn’t shown on an admin page since they have the ability run arbitrary code on the website and could use that to access anything in the database.