CleanTalk Makes Up “Critical” Vulnerability in 100,000+ Install WordPress Plugin
WordPress security providers frequently falsely claim that popular WordPress plugins contain serious vulnerabilities that don’t really exist. One repeat source of those claims is CleanTalk. They recently claimed that the plugin Social Icons Widget & Block by WPZOOM, which has 100,000+ installs, contained “[a] critical security vulnerability” and the “vulnerability exposes websites to the risk of Stored Cross-Site Scripting (XSS) attacks, potentially leading to account takeover and compromising website integrity”. They also claimed that “if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back.” In reality, the “attacker” would already have to have complete control of the website and would already be allowed by WordPress to do what is supposed to be the vulnerability.
One critical element in determining the severity of a vulnerability, or if there is even a vulnerability, is what level of access is needed to exploit it. For example, if you need an account on the website, that would usually stop an attacker from exploiting the vulnerability. What is supposed to be the proof of concept for this lacks clear information to determine what level of access is needed, as it states:
When creating a new widget, insert the following payload in the “color_picker_fields” field – 123″ onmouseover=’alert(/XSS/)’ (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)
That would at least suggest that WordPress users below the Administrator level could exploit this.
Separately, a proof of concept from the Automattic owned WPScan makes it sound like you have to be logged in to WordPress as an Administrator to exploit this:
1. As an administrator, visit /wp-admin/widgets.php and add a Social Icons from WPZoom Widget
Indeed, the page needing to be accessed is only accessible by Administrators. Someone with access to an Administrators account has the ability to what is claimed to be a vulnerability, as CleanTalk’s proof of concept indirectly acknowledges by mentioning that they have the unfiltered_html capability. That capability allows Administrators to have JavaScript run on the frontend of the website, which isn’t a security risk for them. Administrators have complete control of the website, so they can already takeover accounts or compromise the website’s integrity.
The claim that if “an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back” isn’t true as an Editor account can’t do anything here. Someone with access to an Administrator account could place a real backdoor with that level access without this plugin even being installed.
While CleanTalk claims the proof of concept “facilitat[es] account takeover and compromising website security,” the proof of concept actually only would cause an alert box to be shown.