In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated Reflected XSS (via HOST header) in XML Sitemaps

Automattic’s WPScan has long not been concerned if they spread false reports of vulnerabilities, as can been seen by this report from a few years ago we checked due to at least one of our customers using the plugin XML Sitemaps. This involves a claimed reflected cross-site scripting (XSS) vulnerability where, based on their description, they think that this type of vulnerability involves someone attacking themself:

The plugin contains a Paypal donate button that is echoing the global variable HTTP_HOST, which can be manipulated by the visitor.

Vulnerable Code:

sitemap-ui.php L1310

echo ‘http://’ . $_SERVER[‘HTTP_HOST’]…

The visitor mentioned is the one who would be the victim of the attack as well, which doesn’t make sense.

---

Plugin Security Scorecard Grade for XML Sitemaps

Checked on September 10, 2024

See issues causing the plugin to get less than A+ grade