10 Sep

SiteLock is Making the WPScan Vulnerability Database’s Low Quality Data Worse

One of the things that we believe leads to the poor state of security of WordPress, as well more generally, is the amount of inaccurate and outright false information spread by those involved in security. That also creates unnecessary hassle for others. When it comes to our area of focus, the security of WordPress plugins that is a constant issue. While we properly vet claimed vulnerabilities before adding them to our data set, if you are getting data elsewhere it likely comes from the WPScan Vulnerability Database, which is data source where the people behind it don’t seem to be concerned about the accuracy of their data (or other things that seem important for providing what they claim to provide).

If they were even a little concerned about that it seems hard to believe what has happened with the plugin WooCommerce PayPal Checkout Payment Gateway would have occurred. They are currently claiming that plugin, which has 800,000+ installs according to wordpress.org, contains an unfixed vulnerability:

You would think that type of claim would receive some level of scrutiny, but it seems there was none as the original source for that claim doesn’t even attempt to support it. The gist of the claim is that if you change values in URL on the PayPal website and that will allow making purchases through this plugin for a lower price. What they don’t seem to have considered is that it isn’t any secret you can the price on the PayPal side, since it is included in plain text in the URL, and that validation of the correct price should be handled by the plugin. They don’t even make a claim that isn’t actually happening.

From years of seeing the next part of this, the public clearly isn’t aware of the low quality of WPScan’s data, and so you then have people coming to the developer of the plugin wanted to know when they are going to fix a vulnerability that doesn’t exist. In this case that can be seen in the WordPress support forum topic Vulnerabilty in Plugin.

That starts with someone who clearly believes the information is accurate:

The WPVulnDB lists a security-issue with the plugin up to the newest version 1.6.17. Will there be a fix for this soon?

In one of the follow up you have someone believes the developer doesn’t care about the security of the plugin:

I wouldn’t hold out hope. This vulnerability was originally posted 2019-01-27 and there have been 8 releases since then

Here is the repose from an employee of the developer:

We have determined that the conditions being reported do not constitute an exploit in the PayPal Checkout extension for WooCommerce. While it is true that the amount can be manipulated in the PayPal payment flow, this amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state. (In cases when the order is completed upon API payment request rather than IPN, the amount comes directly from the order, not a previous PayPal response.)

If we were to receive exploit steps that result in a completed WooCommerce order with a lower payment amount (can be reported here), we would act promptly to address the issue.

The developer is Automattic, so even one of the largest companies connected with WordPress isn’t free of this.

Today another topic was started on the support forum about this non-existent vulnerability.

SiteLock Is Making Things Worse

Making the situation worse, often times when WPScan’s data is used by security companies and other ostensibly trustworthy entities, it isn’t disclosed that it is the source. That creates the impression that multiple parties have confirmed vulnerabilities exist, when no one did that work. Those other entities, whether disclose the source or not, often make false claims about the quality of the data. The makers of the most popular WordPress security plugin, Wordfence Security, actually claims the data is “confirmed/validated“.

Those entities handling of the data can make things even worse. The WPScan Vulnerability Database until recently had an entry for a false vulnerability in the plugin Events Manager, which has 100,000+ installs according to wordpress.org. In that case the vulnerability, which hadn’t existed, was claimed by WPScan’s data to have been fixed in the latest version, 5.9.5. There are two recent topics that involve the security SiteLock claiming the current version of the plugin is insecure.

Here is the information that SiteLock sent out, which you wouldn’t know comes from WPScan’s data (we only knew that in that case since someone form WPScan confirmed they were the original source):

Events Manager 5.9.5
Severity: Critical
Category: xss
Summary: Events Manager < 5.9.5 – Multiple XSS
Description: WordPress plugin Events Manager version 5.9.5 and prior suffers from multiple XSS vulnerabilities. There is multiple stored XSS(Cross-site Scripting) in file events-manager/trunk/admin/settings/tabs/pages.php events-manager-options page. The reason – Unsanitized user’s input from the following parameters: dbem_cp_events_slug dbem_cp_locations_slug dbem_taxonomy_category_slug dbem_taxonomy_tag_slug Exploiting this vulnerability requires authentication. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.”

What also sticks out if you look closely is that it clearly lists versions below 5.9.5 as being vulnerable and list the version in use as being 5.9.5.

Getting that incorrect seems hard to understand since it shouldn’t be hard to properly parse the version number there. There have been issue along those lines with their use of WPScan’s going back years, so either they are totally incompetent or this is something being intentionally done.