As part of our continuing work on our Plugin Security Scorecard, we are working to expand the amount of security information we can provide on third-party libraries in WordPress plugins. One problem you run into trying to do something like that, is like with WordPress plugins, there is plenty of misinformation out there. That is what appears to be the case with a claim of a vulnerability in the Select2 library made by security provider Snyk.

We recently noticed that a WordPress plugin had a changelog indicating that the library had been updated to address an XSS (cross-site scripting) issue. Checking the page that shows security advisories for the library on GitHub, there are no advisories. So either the developer hadn’t create an advisory for the issue or there wasn’t an issue.

In looking further into this, we found Snyk being cited as the source for the claim of that issue in the library with another WordPress plugin:

In Select2 through version 4.0.8, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data. For more info see https://security.snyk.io/vuln/SNYK-JS-SELECT2-456562

Confusingly, Snyk claimed it was an issue through version 4.0.8:

Upgrade select2 to version 4.0.8 or higher.

But they were citing a CVE record that claimed it was through 4.0.5 and, importantly, claimed it was an issue with another usage of the library by another piece of software, Snipe-IT:

In Select2 through 4.0.5, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data.

Snyk goes on to provide four references:

• GitHub Commit
• GitHub Commit
• GitHub Issue
• GitHub Issue

The two links labeled GitHub commits are for the documentation of Select2, not Select2. The two GitHub issues are about an XSS issue with documentation. Here is an explanation given in one of those issue pages:

There was an XSS vulnerability that existed because of a misconfiguation within the Select2 documentation website. Thanks to the fact that people blindly copy/paste from the source code on the documentation website (as well as the examples, some of which had an issue as well), this was referenced in a CVE where someone has misconfigured Select2 to enable XSS within their application.

That was written by the person that released version 4.0.8 of Select2. There is nothing we could see that would suggest that version 4.0.8 actually would have fixed an issue here. The explanation for why they claimed that version fixed could be simply that this was the last version released when they put out their information.

So if there was an issue, it would seem to still exist. But it seems like the reality here is that there wasn’t a vulnerability in Select2 and Snyk is misleading people.