10 May

More of CVE’s Inaccurate Information on WordPress Plugin Vulnerabilities

Earlier this week we noted that in starting to take a closer look at CVE entry data on vulnerabilities in WordPress plugins we found that their information can be problematic. An entry added in the last day is even worse. Here is the information given for CVE-2019-11869:

The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting.

That refers to a vulnerability we discovered, though we are not referenced in the entry. Instead Wordfence is referenced, which isn’t a great idea since they seem to have managed to get things wrong (which if you are familiar with them, wouldn’t be surprising to hear) and falsely implicate the function is_admin() as being part of the cause of the vulnerability, which the CVE entry then repeats.

What is much more problematic is that the vulnerability doesn’t exist in that version of the plugin as it was fixed in an earlier version. We don’t know why that version would have been implicated other than it is the latest version.

When you are using our service we warn you about vulnerabilities you use after we have actually tested things out and determined what versions of plugins are impacted instead of spreading inaccurate information.