08 Jul

WPScan and Patchstack Spread False WordPress Plugin Vulnerability Report That Looks Like Satire of False Report

One of the things we provide to customers of our service as part of our data set on WordPress plugin vulnerabilities is information on false reports of vulnerabilities. These days the source of many of those false reports is not who you would expect, as it is the two main other data providers. One of those, WPScan, claims that they are verifying these false reports and the other, PatchStack, is claiming to be providing patches for them. In both cases, what they claim to do flies in the face of them spreading obvious false reports. One of those reports is so bad it reads like it would be someone in the industry attempt at satirizing bad reports, not something being claimed to be real.

The report involves a plugin named Hotjar Connecticator, which was removed from the WordPress plugin directory at the time this report was released. The report was published directly with WPScan:

The first part of the description there is:

The plugin was vulnerable to Stored Cross-Site Scripting (XSS) in the “hotjar script” textarea.

While that is written in the past tense, confusingly, again, they claim the vulnerability hasn’t been fixed:

No known fix

The rest of the description is a head scratcher:

The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users.

So the claim is that someone logged in to WordPress with the ability to anything, since they are an Administrator, would have to intentionally do this. That isn’t a vulnerability and it shouldn’t take a security expert to understand that. Among many issues with this, an Administrator could remove security code from a plugin.

But things get worse from there, as the setting here is explicitly supposed to store JavaScript code, which is what stored cross-site scripting involves:

Would it be better to have the setting output on its setting page in escaped form, sure, but that doesn’t make it a vulnerability.

Patchstack Too

Patchstack looks to largely copy their data from WPScan, without bothering to filter out stuff like this:

In this case, without providing any credit, as the only reference listed is to “Plugin changelog“, which is actually just to main page for the plugin on WordPress plugin directory and doesn’t make any mention of this security vulnerability (it didn’t mention security at all until long after they posted that).