Not Really a WordPress Plugin Vulnerability, Week of November 11
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.
Authenticated (Admin+) Directory Traversal In Ultimate Member
Wordfence claimed there had been an authenticated (admin+) directory traversal vulnerability in Ultimate Member that they described this way:
due to insufficient input validation on the ‘pack’ parameter. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a file with the exact name ‘init.php’ then remote code execution may also be possible.
Looking at the relevant change related to that before they put that out, we had already determined that there was a nonce check there, which while not intended for that purpose, would normally limit access to the functionality to only those with the manage_options capability. As only Administrators have that capability, there wouldn’t be a vulnerability since they have already normally have the capability to do what is claimed to be a vulnerability here.
In addition to Wordfence failing to understand the implication of someone being logged in to WordPress as an Administrator, they failed to understand that there is still a security issue after the change they claimed fixed this. As the code in question doesn’t have a capabilities check to limit access to the relevant function and another in the same file. As mentioned before, the nonce check normally does the equivalent of that, but isn’t intended for that purpose and could be bypassed in some circumstances. We notified the developer of that and they plan to address it.
This false report was given the CVE ID CVE-2022-2445.