In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Missing Authorization Checks on Backup Exports in Everest Backup

Wordfence claimed the plugin Everest Backup had contained what they labeled as “Missing Authorization Checks on Backup Exports”, which isn’t even a type of vulnerability. But the description they provided sounds like a description of a vulnerability:

The Everest Backup plugin for WordPress is vulnerable to backup export disclosure in versions up to, and including, 1.0.7. This is due to insufficient access controls on the everest_backup_get_ajax_response() function. This makes it possible for authenticated attackers to reveal sensitive information about back-ups created by the plugin.

That is quite vague, though. For example, what level of authentication would the attacker need?

It appears that Wordfence simply saw a changelog entry that said “Fixes: Minor security issues fixes.” and assumed there was more of an issue than there really was.

In the change made in the relevant version of the plugin, there was a capabilities check added to code. Right before it in the code, though, there was already a nonce check. So an attacker would have to have access to a valid nonce to get to the point in the code where the security check was previously missing. That nonce is included on the plugin’s admin pages. So an attacker would already have to have access to the mentioned functionality, so there wasn’t a vulnerability, as they can still what is claimed to be a vulnerability. In looking into that, we found the plugin’s code still contains vulnerabilities.