In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Arbitrary File Deletion in Backup and Restore For WP

With a claimed arbitrary file deletion vulnerability in Backup and Restore For WP, no report is provided, only a HTTP request and the response to it. That information made it look like this isn’t a vulnerability and looking at the underlying code confirms it.

The request is to WordPress AJAX handling file /wp-admin/admin-ajax.php with the action specified being barfw_backup_ajax_redirect, which causes the function of the same name to run:

11

add_action('wp_ajax_barfw_backup_ajax_redirect', array( $this, 'barfw_backup_ajax_redirect' ));

In that function, the function barfw_delete_backup() is called with the request shown:

14
15
16
17
18
19
20
21
22
23
24
25
26

public function barfw_backup_ajax_redirect(){
	   $call_type = sanitize_text_field(wp_unslash($_POST['call_type']));
     switch($call_type)
		  {
			case "submit_backup_settings_form":
				$this->barfw_save_backup_config_form($_POST);
				break;
			case "submit_schedule_settings_form":
        $this->barfw_save_schedule_backup_config_form($_POST);
        break;
      case "delete_backup":
         $this->barfw_delete_backup($_POST);
         break;

That function first checks for a valid nonce and the request is coming from an Administrator:

146
147
148
149
150
151
152
153

function barfw_delete_backup($postData){
      $nonce = sanitize_text_field(wp_unslash($postData['nonce']));
        if ( ! wp_verify_nonce( $nonce, 'delete_entry' ) ){
          wp_send_json('ERROR');
 
        }
 
    if(current_user_can('administrator')){

An Administrator can use the capabilities they have to delete arbitrary files. In this case, the Administrator has access to a backup and restoration plugin, which intentionally provides them with a range of capabilities.

Stored Cross-Site Scripting in AccessPress Social Icons

With a claimed store cross-site scripting vulnerability in the plugin AccessPress Social Icons, the instructions are not very clear, but it seems to be referring to something that is only accessible from one of the plugin’s admin pages:

Open plugin on the left frame and keep going “add new” field. Click “Choose icon indiviually” and fill other fields.

That is only accessible by Administrators, which have capability do the equivalent of cross-site scripting (XSS). The underlying code that handles saving the changes, though, is missing a capabilities check, but has a nonce check, which while not intending to be a capabilities check, would normally provide the equivalent of that. Also, in our limited testing, it looks like the JavaScript code was only output unescaped when saving it and then it is then escaped. We tried to notify the developer of the claim and suggest they should add a capabilities and may want to add sanitization to the code, but their contact form didn’t work.