When it comes to getting data on vulnerabilities in WordPress plugins what we have noticed is that many sources are not using unique data, but instead reusing data from another source, often without letting people know what the true source is and never with a disclaimer about the quality issues that are inherent in that data source. That source is the WPScan Vulnerability Database, but recently we realized that they in fact are often just copying their data from yet another source. That source being the Common Vulnerabilities and Exposures (CVE) system. As we have more closely monitored that source recently we have noticed plenty of issues with it. This week we noticed something that wasn’t as much concern, but does present a worse picture of the WPScan Vulnerability Database.

Earlier this week CVE-2019-12566 was published, which involves a claimed stored XSS vulnerability in WP Statistics, which has 500,000+ installs according to wordpress.org. The summary for that is:

The WP Statistics plugin through 12.6.5 for WordPress has stored XSS in includes/class-wp-statistics-pages.php. This is related to an account with the Editor role creating a post with a title that contains JavaScript, to attack an admin user.

An Editor-level user in WordPress is in fact allowed to do what is described there, since they have the “unfiltered_html” capability”. The related Github issue for that confirms that this involves an Editor doing something they are allowed to, separate from anything in this plugin. To extent this would be argued to be a vulnerability would be that it could cause malicious JavaScript to run on admin pages for an Administrator, but even without the plugin, in the same situation the malicious JavaScript could run on frontend pages.

Where the WPScan Vulnerability Database comes in to this is that they have known about this for several day but didn’t promptly warn people using their data set about it despite believing it is a vulnerability:

Hi! Ryan from wpvulndb.com here.

Do you know when the next version will be released which includes this patch?

We’d like to add the vulnerability to our database, but would prefer to do so once it has been patched.

Thanks!

Deciding when to disclose vulnerabilities or provide more information can be complicated, but considering that they are just copying publicly available data that is already repeatedly widely, it doesn’t seem like sitting on this would make sense. There are larger issues along those lines with the WPScan Vulnerability Database that involve vulnerabilities that are real enough to be being actively exploited while they are sitting on them.