In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Persistent Cross-Site Scripting in OneSignal Push Notifications

If there had actually been a persistent cross-site scripting (XSS) vulnerability in the plugin OneSignal Push Notifications as claimed, that would be a big deal as that is the kind of vulnerability is fairly likely to be exploited and the plugin has 100,000+ installs. No explanation of the vulnerability beyond a proof of concept was provided. The first thing that we noticed that raised questions about this was the URL that the request to exploit this would be sent to:

http://127.0.0.1/wp-admin/admin.php?page=onesignal-push

That is a URL for an admin page in WordPress, so that would likely indicate that this would involve someone logged in to WordPress, so possibly the vulnerability was less serious and mislabeled. The next line of the proof of concept though indicated that there might not be a vulnerability, as it shows a nonce:

<input type="hidden" name="onesignal_config_page_nonce" value="f7fae30a4f" />

A nonce is a unique value used to prevent cross-site request forgery (CSRF).

After seeing that we did a search of the plugin’ code to see if valid value for that is checked for. When we did that we found that to be able to change the settings that the proof of concept causes to be changed, someone needs to be logged in as Administrator and have a valid nonce, so there really isn’t a vulnerability here.