One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

One of the changelog entries for the latest version of the WordPress plugin WP Downgrade is:

security fix (Thanks for reporting!)

That plugin is used by at least one of our customers, so we went to check to see if there was a vulnerability we should warn them had existed in the plugin. What we found was there wasn’t, but there was a security improvement being made. Days later, WPScan falsely claimed there was a vulnerability being fixed.

WPScan claims there was a “Admin+ Stored Cross-Site Scripting” in the plugin:

As usual, they don’t explain what “Admin+” is supposed to be, which is a bad sign already.

The description of the claimed issue is this:

The plugin only perform client side validation of its “WordPress Target Version” settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfiltered_html capability is disallowed

To access the relevant page, you have to be logged in as an Administrator:

30

add_submenu_page('options-general.php', 'WP Downgrade', 'WP Downgrade', 'administrator', 'wp_downgrade', 'wp_downgrade_settings_page');

So this really isn’t a vulnerability there, since among other things, Administrator can normally remove security protection in plugins. As usual, it seems that WPScan doesn’t seem to understand WordPress’ security model. But in this case the situation is worse, since as we found when we originally looked into the possibility of a vulnerability being fixed, one of the plugin’s other settings changed through the same page, allows you specify an arbitrary URL to download WordPress and replace the existing install:

The implication of that should be obvious to any security expert, which is that a person with access to change the plugin’s setting can run arbitrary code on the website. Through that, they can cause cross-site scripting to occur as well. So either there still is a vulnerability here, which WPScan somehow missed, or, in reality, there never was vulnerability.

Patchstack Too

WPScan wasn’t alone in this. Patchstack, markets data with this claim :

Hand curated, verified and enriched vulnerability information by Patchstack security experts.

In reality, much of their data looks to be simply copied from WPScan, so not surprisingly, they are also spreading the false claim of their being a vulnerability here:

If they actually verified things, then they wouldn’t have.

CVE Issue

Despite this not really being a vulnerability, it was given a CVE identifier, CVE-2022-1001. This is a problem since CVE IDs are treated, for reasons we don’t understand, as giving a claimed vulnerability significance, despite being handed out for things that are not even vulnerabilities.

Plugin Security Scorecard Grade for Patchstack

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for WPScan

See issues causing the plugin to get less than A+ grade