In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

PHP Objection Injection in Phlox Core Elements

Automattic’s WPScan claimed there was a PHP objection injection vulnerability in Phlox Core Elements. Presumably they were trying to refer to “PHP object injection”. They explained it this way:

The plugin unserializes the content of an imported file, which could lead to PHP object injection when a user imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

It isn’t explained what user would be able to do that or why they would unintentionally import a malicious file.

The proof of concept shows that the “attacker” would need to be logged in as an Administrator based on the page they would be accessing, “Appearance > Customize > Extras”. We checked the underlying code and there is a nonce check to prevent cross-site request forgery (CSRF) here. There is a missing capabilities check, which is a common issue, but the nonce needed for that is normally limited to Administrators. So a logged in Administrator would have to intentionally do what is claimed to be a vulnerability. A logged in Administrator normally could do the equivalent of this, so it isn’t really a vulnerability.

This false report was given a CVE id by WPScan, CVE-2022-3359, despite not really being a vulnerability.