In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated Stored Cross-Site Scripting in Fathom Analytics

Wordfence made this claim about the plugin Fathom Analytics:

The Fathom Analytics WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the fathom_site_id parameter found in the ~/fathom-analytics.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.0.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

The plugin was pulled from the WordPress plugin directory on December 6 and restored on December 8 after version 3.0.5 of the plugin was submitted.

If you want to argue this a vulnerability, as they do, then the issue hasn’t been fixed. As one of the plugin’s intended settings allows a JavaScript file from an arbitrary domain to be loaded on frontend pages. That isn’t mentioned in the report or addressed in the changes made.

We would say it isn’t really a vulnerability, since it only accessible by an Administrator.