Mandiant is a high-profile cybersecurity company, though considering how bad security is these days, being a high-profile company isn’t necessarily an indication of being good at security. Looking at a report from them of a claimed “stored Cross Site Scripting (XSS) vulnerability” (unusual capitalization is in the original) in the WordPress plugin Debug Meta Data you get a sense that they might not be good at security.

Under the Exploitability section of their report, they write this:

High – The attacker requires a user account on the application in order to inject a script. Once a script is injected, it is stored in the application and all users can be affected.

That disagrees with the Technical Details section of the same report in important ways. One being that it claims the attacker would need to intercept a request:

To exploit the vulnerability, an attacker would need to intercept a login request and inject an arbitrary JavaScript payload into their user agent string. After successfully authenticating, to trigger this vulnerability a user would just have to navigate to their profile page (hxxps://WORDPRESSBASEURL/wp-admin/profile.php) and the victim’s web browser will execute the JavaScript payload.

If an attacker could intercept the request, then you have a lot of other problems there. Including that the attacker could probably get the login credentials being used and that they could also probably send back to the user an arbitrary JavaScript payload. It also wouldn’t be easy to do that.

Under the Impact heading, they are these claims as to what the attacker could do with this “vulnerability”, but they should be able to do those things without that “vulnerability”, if they can intercept and modify requests:

High – Attacker can execute arbitrary JavaScript in the victim’s browser. This allows the attacker to impersonate the user to the application and can be used as part of an attack to steal user credentials.

Another problem with the Exploitability claims is that it states that “Once a script is injected, it is stored in the application and all users can be affected.”, but as far as we can tell, this would only impact the user this was done to, not other users. Since visiting the relevant page would output user agents strings of their logins, not anyone else’s.

While there isn’t really a vulnerability here, the plugin should escape the information it is outputting, something we have suggested to the developer.

For anyone searching for information on this, it has IDs MNDT-2021-0009 and CVE-2020-27356.