08 May

This Isn’t a Great Indication of the Quality of Data on WordPress Plugin Vulnerabilities in CVE’s Data

While we provide our customers much better data on vulnerabilities in WordPress plugins then you will find elsewhere we are always looking to further improve what we are doing, since we know that is more that we can do. One thing we just started looking into was more closely monitoring data from the Common Vulnerabilities and Exposures (CVE) system. Though just days into that we ran into an entry that doesn’t point to great quality with the data.

This involves entry CVE-2018-19456, which is described as:

The WP Backup+ (aka WPbackupplus) plugin through 2018-11-22 for WordPress allows remote attackers to obtain sensitive information from server folders and files, as demonstrated by download.sql.

When we searched for that plugin we couldn’t quickly find what that would be.

The relevant item linked to as a reference doesn’t help, as this is the only information given:

Yesterday night, I was searching for a backup plugin for my website. I have found lots of plugins already available in the WP. Without wasting my time, I have chosen wpbackupplus plugin.

After searching about WPbackupplus, I got my answer and answer is like

“Don’t make mistake”.

I have found information disclosure in lots of the website who installed this plugin. I made a dork about the vulnerability Google Dork : inurl:”/wp-content/uploads/wp-backup-plus/”.

As best we could tell from further checking this seems like it might relate to a commercial plugin that isn’t available anymore.

What is described in that information gives no indication that the issue existed in the plugin through “2018-11-22”, since what is described there could involve websites using an older version of a plugin.  There is also no indication that it had been fixed either.

Where things get really odd is that there are two other references that are completely unrelated to that, as they relate to “security update for libgit2“. Those reference CVE-2018-19456, but clearly are not related to an issue with a WordPress plugin.