28 May

Not Really a WordPress Plugin Vulnerability, Week of May 28

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Stored Cross-Site Scripting (XSS) in Cookie Law Bar

With the claimed stored cross-site scripting (XSS) vulnerability in Cookie Law Bar, it is stated that “an authenticated attacker can retrieve cookies / sensitive data of all WordPress users”. The first step in the proof of concept is:

navigate to the settings of the Cookie Law Bar under

http://localhost/wp-admin/options-general.php?page=clb

To access the contents of that page, you have to have the activate_plugins capability:

2
3
4
if (!current_user_can('activate_plugins')) {
    die('The account you\'re logged in to doesn\'t have permission to access this page.');
}

That is a capability that normally only Administrators have. If an attacker has access to an Administrator account, then they can usually already do the equivalent of this or anything else they want, for that matter.

The plugin also checks for a valid nonce, so cross-site request forgery (CSRF) is also not possible.