In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Stored Cross Site Scripting in WP Sitemap Page

WPScan claimed that the plugin WP Sitemap Page contained a “Admin+ Stored Cross Site Scripting”, stating this:

The plugin does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

To access the plugin’s settings page, you have to be logged in as Administrator:

147
148
149
150

$capability = 'administrator';
$menu_slug = 'wp_sitemap_page';
$function = 'wsp_settings_page'; // function that contain the page
add_options_page( $page_title, $menu_title, $capability, $menu_slug, $function );

An Administrator, by default, can do just about anything, including undoing a capabilities restriction, since they are an Administrator.

Stored Cross Site Scripting in Ninja Tables

With a claimed stored cross-site scripting vulnerability in the plugin Ninja Tables, the instructions are not very clear, but it seems to be referring to something that is only accessible from the plugin’s admin pages:

Enter JavaScript payload which is mentioned below “><img src=x onerror=confirm(docment.domain)> in the ‘Coulmn Name & Add Data’ and enter the data into the user input field.Then Navigate to Table Design

That is only accessible by Administrators, which have capability do the equivalent of cross-site scripting (XSS). In the “Pro” version of the plugin other roles can be provided access, so there might an issue there. Also, it doesn’t look JavaScript code should be in the field, anyway.

We have notified the developer of the report and the possible issue for lower-level users with the “Pro” version.

Stored Cross Site Scripting in Media Tags

With a claimed store cross-site scripting vulnerability in the plugin Media Tags, the instructions are not very clear, but it seems to be referring to something that is only accessible from the plugin’s admin pages:

Navigate to Add Table >> add the payload into ‘Media Tag Label Fields’ and enter the data into the user input field.

That is only accessible by Administrators, which have capability do the equivalent of cross-site scripting (XSS). It doesn’t look JavaScript code should be in the field though. The plugin doesn’t appear to be supported anymore, and we found it partially broken while checking into this claim.

Stored Cross Site Scripting in TaxoPress

With a claimed stored cross-site scripting vulnerability in the plugin TaxoPress, the instructions are not very clear, but it seems to be referring to something that is only accessible from the plugin’s admin pages:

Navigate to Add Table >> add the payload into ‘Table Name & Descriptions’ and enter the data into the user input field.

That is only accessible by Editors and Administrators, which have capability do the equivalent of cross-site scripting (XSS). It doesn’t look JavaScript code should be in the field though.

Stored Cross-Site Scripting in Filterable Portfolio and Gallery Plugin

With a claimed stored cross-site scripting vulnerability in the plugin Filterable Portfolio and Gallery Plugin, the instructions are not very clear, but it seems to be referring to doing something that involves WordPress’ post editor:

Open plugin on the left frame and enter JavaScript payload which is mentioned below into ‘title’ field, save and preview.

<img src=x onerror=alert(1)>

What they claim you can do there is only possible if the user doing it has the unfiltered_html capability. If you try it with a user that doesn’t have that capability, that content is removed. The unfiltered_html capability specifically is designed to allow doing that.

Stored Cross Site Scripting in Contact Form by Supsystic

With a claimed stored cross site scripting vulnerability in Contact Form by Supsystic the page being accessed is only accessible by Administrators in the free version, but even if that were not at issue, as far as we could tell the malicious payload isn’t actually saved. Instead, it gets output when you click a save button, but doesn’t actually get saved. So, at best, you could describe this as self-XSS, which isn’t a vulnerability.

We have notified the developer of the report and suggested that they may want to sanitize the output, so that outputting doesn’t occur.