Not Really a WordPress Plugin Vulnerability, Week of May 27
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.
Reflected Cross-Site Scripting in WP Statistics
Automattic’s WPScan made this claim about a supposed reflected cross-site scripting vulnerability in the plugin WP Statistics:
The plugin does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters
So what web browsers would those be? They don’t say.
That might have to do with the fact that modern web browsers do encode characters in URLs, as well as any web browsers following the standard related to that, RFC 3986. Unless they can point to a reasonable scenario where this would be exploitable, this would be more accurately described as a possible or a potential vulnerability.
This false report was given a CVE id by WPScan, CVE-2022-1005, despite not really being a vulnerability.
Admin+ Remote Code Execution (RCE) in WP SVG Icons
Automattic’s WPScan made this claim about a supposed admin+ remote code execution (RCE) vulnerability in the plugin WP SVG Icons:
The plugin does not properly validate uploaded custom icon packs, allowing an high privileged user like an admin to upload a zip file containing malicious php code, leading to remote code execution.
Presumably they are referring to users with the Administrator role, which already have the ability to do what is claimed to be a vulnerability there, through their ability to install plugins.
Looking at the code, we confirmed that access is limited to Administrators:
31 32 33 34 35 36 37 38 | add_submenu_page( 'wp-svg-icons', __('Custom Icon Set','wp-svg-icons'), __('Custom Icon Set','wp-svg-icons'), 'manage_options', 'wp-svg-icons-custom-set', 'render_custom_icon_page' ); |
There is also protection against cross-site request forgery (CSRF):
41 42 | if( ! check_admin_referer( 'validate_wp_svg_icons', 'wp_svg_icons_upload_validation' ) ) { wp_die( __( 'Sorry, your nonce did not verify. Please try again.', 'wp-svg-icons' ) ); |
So there isn’t a vulnerability here, unless you think that WordPress itself contains the same vulnerability.
This false report was given a CVE id by WPScan, CVE-2022-0863, despite not really being a vulnerability.
Admin+ Stored Cross-Site Scripting in underConstruction
Automattic’s WPScan made this claim about a supposed admin+ stored cross-site scripting vulnerability in the plugin underConstruction:
The plugin does not sanitise or escape the “Display a custom page using your own HTML” setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
There usual lack of basic verification, despite claiming to have verified this, is shown there, as they didn’t even figure out what users would have access. To access the plugin’s settings, the user has to be logged in as an Administrator:
339 | add_menu_page( 'Under Construction', 'Under Construction', 'manage_options', 'under-construction', array(& $this, 'uc_changeMessage'), 'dashicons-hammer'); |
If an attacker is logged in as an Administrator they can do basically whatever they want, including usually allowing the unfiltered_html capability, so this really wouldn’t be a vulnerability.
This false report was given a CVE id by WPScan, CVE-2022-1896, despite not really being a vulnerability.