Not Really a WordPress Plugin Vulnerability, Week of April 15
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.
Admin+ Arbitrary File Upload to RCE in WP Import
Earlier this week we saw a concerning changelog entry for the plugin WP Import:
FIX – Fix RCE issue by forcing correct extensions on imported data files.
We went to look into and found that there wasn’t a vulnerability, but we guessed we would soon see one of our competitor misleading people by claiming it was. It was, as often is the case, WPScan. Here is their claim:
The plugin does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE
Presumably they mean Administrators (which is the role needed), though they didn’t even figure that out (as usual). Administrators are normally allowed to upload arbitrary files and, specifically, PHP files, through their capabilities involving plugins, so this wouldn’t be a vulnerability.
The intended functionality of the plugin allows importing WordPress users, so presumably if a lower level user was given access to the plugin, they could create an account with the Administrator role through that.
WPScan also issued a CVE ID, CVE-2022-1273, for this, despite not being a vulnerability.
Patchstack is also inaccurately calling this a vulnerability.
Admin+ Arbitrary File Upload in One Click Demo Import
The same things are true for a claimed admin+ arbitrary file upload vulnerability in One Click Demo Import that WPScan describes this way:
The plugin does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed
Again, this requires being an Administrator, which is allowed to do these things.
This also received a CVE ID, CVE-2022-1008, despite not being a vulnerability.
Again, Patchstack is also inaccurately calling this a vulnerability.