Recently Automattic’s WPScan claimed that the WordPress plugin Scripts n Styles had contained an admin+ stored XSS vulnerability that they explained this way:

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

They provided no details of what the vulnerable code was, how it was supposed to have been fixed, or a proof of concept for this supposed vulnerability. That would make it practically impossible for the average user relying on their data to double check that claim.

WPScan did claim it was fixed in version 3.5.8 of the plugin. The changes made in that version relate to the plugin’s admin page. To access the plugin’s admin page, the user has to have both the manage_options and the unfiltered_html capability:

54

if ( ! current_user_can( 'manage_options' ) || ! current_user_can( 'unfiltered_html' ) ) return;

Going back to WPScan’s description, they claimed the vulnerability there was a vulnerability because it was possible to do something “even when the unfiltered_html capability is disallowed”. That claim doesn’t match with the plugin’s code. The developer has said as much as well.

The stated purpose of the plugin is to allow Admin users to add JavaScript code to pages:

This plugin allows Admin users the ability to add custom CSS and JavaScript directly into individual Post, Pages or any other registered custom post types

Cross-site scripting (XSS) involves adding JavaScript code to a page by a user that isn’t permitted to do that. Considering the plugin is intended to allow JavaScript code and is restricted to the intended users, there doesn’t appear to be a vulnerability.

Here’s where things get weird, while WPScan both claims that there has been a vulnerability and it has been fixed they list as a “miscellaneous” detail that they haven’t verified this:

Huh?

While they don’t disclose it in their entry, WPScan copied this claim from another provider, Patchstack. From there things get odder.

Patchstack provides even less information that WPScan. Here are their “details”:

konagash discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Scripts n Styles Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.5.8.

They claim the required privilege is Administrator. Again, what they are claiming is a vulnerability is what the plugin is intended to do and still allows in version 3.5.8.

The even odder element is that on their entry they claim to be “official security point of contact” for the plugin:

Patchstack doesn’t appear to be involved in the development of the plugin, so that claim doesn’t really make sense. Considering they themselves have made up a vulnerability in the plugin, who would treat them as a reasonable party to contact about a real vulnerability?

Patchstack provides no way to verify that claim and with a very popular plugin they also make the claim of being that, but in an interaction we had with the developer in the last month, they said that you should report vulnerabilities to them through their bug bounty program. Patchstack was not mentioned at all.

Plugin Security Scorecard Grade for Patchstack

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for WPScan

See issues causing the plugin to get less than A+ grade