The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand the Concept of a Backup Plugin
One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.
Recently we saw what looked to be a hacker probing for usage of the plugin All-in-One WP Migration. We couldn’t find a good explanation for why that would be, either a recently fixed vulnerability in the plugin or an unfixed vulnerability that currently exists in the plugin. But WPScan did recently put out a false report of a vulnerability in the plugin that it seems like a hacker might have thought was something they could exploit.
Failure To Understand a Plugin’s Intended Functionality
The report is titled “All-in-One WP Migration < 7.41 – Admin+ Arbitrary File Upload to RCE”, which has this description:
The plugin does not validate uploaded files’ extension, which allows administrators to upload PHP files on their site, even on multisite installations.
There are multiple fairly obvious issues there. One being that Administrators are administrators, so they are already allowed to upload PHP files (more on the multisite element of that in a second). Another being that this involves a backup plugin, so there is a good chance that the plugin intentionally allows uploading arbitrary files as part of the plugin’s restore capability. In this case, if you just start reading the plugin’s description, you find it handles plugins, which means it is intended to allow uploaded PHP files:
Hit the export button to bundle your database, media files, plugins, and themes into one tidy file.
Looking at the change made that is supposed to address this, it simply limits the file extension that is allowed to be used when importing a backup file to .wpresss. It doesn’t in any way limit what is contained in that file, so you can still upload PHP files. So either there is still a vulnerability despite WPScan claiming it has been fixed, or in reality, there never was a vulnerability.
Multisite Doesn’t Do What They Said
Coming back to the multisite issue, they claimed that this is true on WordPress Multsite installations, but they don’t appear to have actually looked into that. When we actually loaded the previous version of the plugin in a WordPress Multsite installation, we found that individual sites in the installation don’t have access to the plugin’s functionality.
That is also true for the Network Admin, where you get a message that “WordPress Multisite is supported via our All-in-One WP Migration Multisite Extension. You can get a copy of it here” with a link to this page. What is described there doesn’t sound like individual sites would have access, which if they did, would still be a security issue because the plugins continued capability to upload arbitrary files.
CVE and CVSS Issues
Despite this not really being a vulnerability, it was given a CVE identifier, CVE-2021-24216. This is a problem since CVE IDs are treated, for reasons we don’t understand, as giving a claimed vulnerability significance, despite being handed out for things that are not even vulnerabilities.
One of the entities behind CVE is also claiming this non-vulnerability has a CVSS 3 severity score of 7.2 out 10. If something that isn’t even a vulnerability has that high a score, what would warrant a lower score?
Plugin Security Scorecard Grade for All-in-One WP Migration
Checked on November 22, 2024See issues causing the plugin to get less than A+ grade