In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated (Administrator+) Stored Cross-Site Scripting in All in One SEO

Wordfence claimed that the plugin All in One SEO had contained a authenticated (Administrator+) stored cross-site scripting vulnerability, which they described in part this way:

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator-level access or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If this required Adminstrator-level access, it wouldn’t really be a vulnerability, since Administrators can already do the equivalent of what is supposed to be the exploit.

They further described it this way:

Similarly, an Administrator could modify the Search Appearance or General Social Media settings to include the same malicious payload, which resulted in malicious JavaScript code execution, when editing pages or posts as well as when viewing the all post/page listing.

We couldn’t find anything named General Social Media settings, but the plugin does have a Search Appearance admin settings page, which they showed in a screenshot. Access to that page requires being an Administrator.

This false report was given a CVE id by Wordfence, CVE-2023-0585, despite not really being a vulnerability.

Admin+ Stored Cross-Site Scripting in WP Server Health Stats

Automattic’s WPScan claimed there had been an admin+ stored cross-site scripting via import vulnerability in the plugin WP Server Health Stats. They explained it this way:

The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Presumably they were trying to refer to users with the Administrator role there.

The proof of concept shows that the “attacker” would need to be logged in as an Administrator based on the page they would be accessing, the plugin’s settings page:

970
971
972
973
974
975
976
977

add_submenu_page(
	'wp_server_stats',
	__('WP Server Stats - General Settings', 'wp-server-stats'),
	__('General Settings', 'wp-server-stats'),
	'manage_options',
	'wp_server_stats',
	array($this, 'admin_page_design')
);

The saving of the settings is run through WordPress’ Settings API so is secured against cross-site request forgery (CSRF).

So a logged in Administrator would have to intentionally do what is claimed to be a vulnerability. A logged in Administrator normally could do the equivalent of this and re-allow themselves the unfiltered_html capability, so it isn’t really a vulnerability

This false report was given a CVE id by WPScan, CVE-2022-2887, despite not really being a vulnerability.

Plugin Security Scorecard Grade for All in One SEO

See issues causing the plugin to get less than A+ grade