There are a lot of places you can find information on vulnerabilities in WordPress plugins, but much of it is highly inaccurate. The WordPress focused web host Pagely provides one example of that. They put out a monthly post mentioning vulnerable plugins, but just a glance at last month’s post shows they are not doing basic due diligence with claimed vulnerabilities. That isn’t in line with how they market themselves:

No one takes WordPress security more seriously than Pagely.

Their information is bit confusing as they have a section headed “List of Vulnerable Plugins, May 2021” and then one headed “Plugins Removed From WordPress Repository”, but both appear to listing vulnerable plugins. The latter appears to be a list of vulnerable plugins that haven’t been fixed and based on the name you would assume ones that have been removed from the WordPress Plugin Directory.

Three of those “removed” plugins were in the WordPress Plugin Directory yesterday, despite not being updated recently, so there couldn’t have been any security fix made to them in May or June, to explain them being there now. With one of them, Cookie Law Bar, we looked at a recent claim of a vulnerability, which seems to be what Pagely is referring to, and at the time, in late May, it had was not removed from the directory. That report was false and it was not very difficult to determine that. So Pagely at least got it wrong that there is a vulnerability and appears to be wrong about it being removed.

Remote File Upload in WP Super Edit

With another one of the plugins, WP Super Edit, there is an even more obviously false report released last month that Pagely seems to be referring to (they haven’t provided links to the reports, which they should so that their claims can be independently verified). They list the vulnerability type for that plugin as Remote File Upload and that matches with a false report released last month. The report claims the vulnerability is in the latest version of the plugin, 2.5.4, and that the “vulnerability is caused by FCKeditor in this plugin”. These proofs of concept are also provided:

* Exploit 1 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html
* Exploit 2 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/connectors/test.html
* Exploit 3 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/test.html
* Exploit 4 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/frmupload.html

The plugin doesn’t contain a sub-directory named “superedit”, there is one named “tinymce_plugins”, but that doesn’t contain a sub-directory named “mse”. The plugin also doesn’t contain FCKeditor.

Looking back at earlier versions in WordPress Plugin Directory, early versions did contain a root directory named “superedit”, but didn’t contain “mse” directory in the “tinymce_plugins” directory.

Searching on the proof of concept file names brought up one website that contained those files, dated back to March 2008, so it’s possible somebody found that or something similar and assumed that it was relevant to the latest version of the plugin. That sort of thing isn’t unheard of, which is why you actually need to check on things instead of assuming they are true, as Pagely appears to have done here.

Authenticated Stored Cross-Site Scripting (XSS) in Hana Flv Player

For the final of three plugins, Hana Flv Player, the source of the claimed vulnerability referred to by Pagely, is another provider of data on vulnerabilities in WordPress plugins, WPScan. You would reasonably think that someone being paid to provide this sort of data would do a better job of checking on things than a web host, even one that claims “[n]o one takes WordPress security more seriously”. But if you are aware of WPScan’s track record, then you wouldn’t expect that. And the situation here backs that up.

The vulnerability that both Pagely refers to and WPScan claims is in the plugin, isn’t. But if you do the proper checking you find that there is actually a more serious vulnerability that exists in the plugin. That plugin was removed from the Plugin Directory yesterday, after we disclosed that real vulnerability.

Bigger Problem

That isn’t the only problem with their list. Notably missing is an actual vulnerability of a type that hackers would be likely to exploit, in the plugin Modern Event Calendar, which we found after seeing what look to be a hacker probing for usage of the plugin. Weeks later that plugin remain in the WordPress Plugin Directory, despite the vulnerability not having been fixed!