05 Apr

Not Really a WordPress Plugin Vulnerability, Week of April 5

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Open Redirect in Feed Statistics

A common source of claimed vulnerabilities in these posts for the past few months has been someone with the handle “KingSkrupellos” that the website Packet Storm keeps posting inaccurate reports from. We have contacted them about this and they removed the following report, but most, if not all, of the others from this person are still up. With their claim of an open redirect vulnerability in the current version, 4.1, of Feed Statistics, the proof of concept they provided doesn’t work, which you would assume someone putting out a report would check on before putting it out. If you look at the code they show, that isn’t surprising, as among a number of issues, the user input they are saying is used, isn’t used in that code. What looks to have happened here is that they copied from previous reports of the same vulnerability that look to be based on people running across websites using very out of date versions of the plugin. There actually was an open redirect vulnerability in the plugin but that was fixed in August, 2014.