Last week we discussed an example of WordPress security providers often make marketing claims that don’t match up with what they deliver involving Patchstack, but they are certainly not alone in that. We ran across another example of that involving WPScan and a claimed vulnerability in a plugin used by at least one of our customers.

WPScan markets their service with a claim that they have a “dedicated team of WordPress security experts” and that they are “continually monitoring the web for new vulnerabilities”, but if you look at their blog, they tell a different story. At the end of September, they wrote a post titled “Writing Good Submissions“. In that, they partially gave away what they are really doing, which is getting other people to do their work for them:

We receive a non-negligible amount of submissions every day. We model the risk they represent for site owners, figure out what kind of privilege is required to successfully exploit the issue, and forward the information to plugin and theme authors to get it fixed.

This is can get pretty time-consuming, especially when we need to scavenge missing pieces of information ourselves. This is reflected in the time it takes us to handle submissions. The better the write-up, the faster it gets dealt with.

They are complaining about having to do the work they are supposed to be doing, but things get worse from there. One of the things they claim to do is “figure out what kind of privilege is required to successfully exploit the issue”, but as can be seen with a vulnerability in the plugin Image Hover Effects, that doesn’t actually happen.

On October 22, we warned our customers about a fairly serious vulnerability in the plugin that we noticed while reviewing a change made to the plugin that was supposed to fix a vulnerability. It appears that the developer was trying to fix the vulnerability we noticed.

At the time, we contacted the developer about the insecurity and offered to help them address it. The developer got back to us on October 31 to tell us they were working on a fix.

The vulnerability in part involved insecure handling of the saving of the plugin’s settings. Anyone logged in to WordPress could change them. As the developer register the function that handles that to be accessible to anyone logged in to WordPress:

11

add_action('wp_ajax_la_save_caption_options', array($this, 'save_caption_options'));

And the function doesn’t do any security checks to limit access:

76
77
78
79
80

function save_caption_options(){
	if (isset($_REQUEST)) {
		update_option( 'la_caption_hover', $_REQUEST);
	}
}

On November 16, WPScan started claiming that the plugin contained something that wasn’t really a vulnerability, as they were claiming that someone logged in presumably as an Administrator (though the information refers to an “admin”) would be the attacker:

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

That doesn’t match with what we found, as anyone logged in to WordPress, not just high-privilege users could change the settings. If WPScan was really “figure[ing] out what kind of privilege is required to successfully exploit the issue”, then it must be a different issue, since if they had done that or done basic checking they would have seen what we had already found.

WPScan didn’t provide information to double check their claims at the time. Instead, they were going to provide a proof of concept on November 30 for a reason that doesn’t make sense:

The PoC will be displayed on November 30, 2022, to give users the time to update.

By their own admission, there wasn’t an update for users to apply. There still isn’t, but despite that, they released the proof of concept on that day:

Go to the plugin settings (Image Hover Effects > Image Hover Effects) and put the following payload in any input field (such as Category Name, Caption Description, Caption Heading, etc.) and save: “><img src=x onerror=alert(/XSS/)>

The XSS will be triggered when accessing the settings again, as well as in posts/pages where the caption is embedded via shortcode.

So their claim was based on the vulnerability we had noticed, which doesn’t require being a high-privilege user to exploit. Despite them not doing the basic verification work that would have shown that, they claimed they had verified this vulnerability.

To access the plugin’s settings page someone would need to an Administrator, which would mean this wouldn’t be a vulnerability as described:

31

add_menu_page( 'Image Hover Effects', 'Image Hover Effects', 'manage_options', 'caption_hover', array($this,'render_menu_page'), 'dashicons-format-image' );

Penetration Testing Falls Short

The person credited for discovering the vulnerability was Asif Nawaz Minhas from a website named hackpertise.com, which is marketed as specializing “in conducting advanced manual web application penetration tests”. As can be seen here, penetration testing is of little value, as it missed the real vulnerability here, instead finding something that wasn’t really a vulnerability.

WPScan’s Late Warning

WPScan also markets itself with the claim that you will “be the first to know about vulnerabilities affecting your WordPress installation, plugins”, but they actually were weeks behind us and got things wrong despite the delay. That will happen when you don’t have a dedicated team that actually is doing the monitoring work, but relying on unpaid people to report things to you.

Plugin Security Scorecard Grade for WPScan

See issues causing the plugin to get less than A+ grade