In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated Stored XSS in Asgaros Forum

This week Wordfence claimed there had been an authenticated stored XSS vulnerability in Asgaros Forum and it was fixed. They described it this way:

The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.13. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

If you want to argue this a vulnerability, as they do, then the issue hasn’t been fixed. The only change made in the version that was supposed to fix this is to escape a value once. There should be sanitization done. But more importantly, the change only impacts the name of a forum, not the description, so you can still exploit this if it was a vulnerability. We have contacted the developer about those issues.

We would say it isn’t really a vulnerability, since it only accessible by an Administrator.

Stored Cross Site Scripting (XSS) in Slider by Soliloquy

With a claimed stored cross site scripting vulnerability in the plugin Slider by Soliloquy, the instructions are referring to doing something that involves WordPress’ post editor:

# 1- Install and activate the Slider by Soliloquy 2.6.2 plugin.
# 2- Open Soliloquy and use “Add New” button to add new post.
# 3- Add payload to title. Payload: <script>alert(document.cookie)</script>

What they claim you can do there is only possible if the user doing it has the unfiltered_html capability. If you try it with a user that doesn’t have that capability, that content is removed. The unfiltered_html capability specifically is designed to allow doing that.