In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.
Authenticated Stored XSS in Calculated Fields Form
While that seems fairly caveated, it isn’t clear who actually would have the accessed needed.
The relevant changelog entry mentions administrators, which would most like refer to users with the Administrator role:
Fixes a possible vulnerability (fortunately only accessible by the website’s administator).
Looking at the code it turns out to be those with the “manage_option” capability, so Administrator-level users:
252 253 254 255 256 257 258 259 260 261 262
add_options_page('Calculated Fields Form Options', 'Calculated Fields Form', 'manage_options', 'cp_calculated_fields_form', array($this, 'admin_pages') ); // Menu option add_menu_page( 'Calculated Fields Form Options', 'Calculated Fields Form', 'manage_options', 'cp_calculated_fields_form', array($this, 'admin_pages') ); // Submenu options add_submenu_page( 'cp_calculated_fields_form', 'Documentation', 'Documentation', 'manage_options', "cp_calculated_fields_form_sub2", array($this, 'admin_pages') ); add_submenu_page( 'cp_calculated_fields_form', 'Online Help', 'Online Help', 'manage_options', "cp_calculated_fields_form_sub4", array($this, 'admin_pages') ); add_submenu_page( 'cp_calculated_fields_form', 'Upgrade', 'Upgrade', 'manage_options', "cp_calculated_fields_form_sub3", array($this, 'admin_pages') );
If an attacker has access to an Administrator account, then they can usually already do the equivalent of this or anything else they want for that matter.