In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Cross-Site Request Forgery (CSRF) in NotificationX

With a claimed cross-site request forgery (CSRF) vulnerability in the plugin NotificationX, the claimed discoverer NinTechNet, provides no explanation of why the functionality in question even needs protection against CSRF.

The relevant functionality, the function generate_conversions() in the file /public/class-nx-public.php, is called without user interaction when visiting frontend pages of the website and displays information, so it doesn’t look like there actually would be a need for CSRF protection in the first place, so it not working wouldn’t be a vulnerability.

Admin+ Local File Inclusion in UpdraftPlus

The WPScan Vulnerability Database, which is now owned by Automattic, claimed there was a “verified” local file inclusion vulnerability in UpdraftPlus. The claim involves someone logged in to WordPress as an “admin”. Looking at the plugin’s code, we found accessing the relevant functionality was limited to those that can manage the plugin, which would normally be Administrators. Someone with that level of access to the plugin can already do the equivalent of local file inclusion through the intended functionality of the plugin, so this wouldn’t be a vulnerability.

Another one of one of our competitors, Patchstack also spread this false claim.

Admin+ Stored Cross-Site Scripting in UpdraftPlus

Along the same lines the same lines, the WPScan Vulnerability Database spread a claim that there was a admin+ stored cross-site scripting vulnerability in UpdraftPlus. Again, this involved the person taking the action be someone that can manage the plugin, which would normally be Administrators. Someone with that level of access to the plugin can already do what is claimed to be a vulnerability through the intended functionality of the plugin, so this wouldn’t be a vulnerability.