In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Arbitrary File Deletion via Zip Slip (Authenticated) in iQ Block Country

A claimed arbitrary file deletion via Zip slip (authenticated) vulnerability in iQ Block Country is described this way:

The settings of the plugin can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process, existence of a file is checked. If the file exists, it is deleted without any security control by only considering the name of the extracted file. This behavior leads to “Zip Slip” vulnerability.

Zip Slip can cause damage by overwriting configuration files or other sensitive resources. In this finding, An attacker can exploit this vulnerability and the behavior of the extraction process, to delete an arbitrary file in the server. For doing this, it is enough to upload a zip file containing a file that is named as the path of a file which is desired to be deleted.

What is missing there is really basic detail, what level of users the attacker would need to be. Based on the what would need to be accessed according to proof of concept, it would likely be an Administrator:

Go back to the WordPress, visit Settings > iQ Block Country > Import/Export tab.

Looking at the code, it is indeed an Administrator:

151

add_submenu_page ( 'options-general.php', 'iQ Block Country', 'iQ Block Country', 'administrator', __FILE__, 'iqblockcountry_settings_page' );

Through the intended capabilities of an Administrator, they already normally have the capability to delete files, so this isn’t really a vulnerability.

This false report was given a CVE id by WPScan, CVE-2022-0246, despite not really being a vulnerability.

Cross-Site Scripting in Akismet and Contact Form 7

With related reports of claimed cross-site scripting vulnerabilities in Akismet and Contact Form 7, the reports are not only false, but also strange. The description for both are nearly identical and don’t match with what is in the plugins:

This plugin creates a Akismet Spam Protection from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.

This plugin creates a Contact Form 7 from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.

The proof of concepts don’t make sense, as among other issues, they both would involve the plugin’s being installed at the root of website, instead of the location they would exist when installed in WordPress.

http://localhost/akismet/akismet.php?id=<script>alert(“test”)</script>

http://localhost/contact-form-7/admin/admin.php?page=<script>alert(“test”)</script>

If they were installed like that, the proof of concept wouldn’t work and the code that appears to be somewhat related to this is in fact properly secured.

We contacted the publisher of those reports, Packet Storm, about those, and they were at least temporarily removed.