Wordfence Doesn’t Understand What an Open Redirect Is
One of the changelog entries for the latest version of the WordPress plugin Ultimate Member is:
Fixed: Issue with echo XSS on User Profile
As at least one of the customers of our main service is using the plugin, we looked into that at the time the version was released, as we do in all instances when a customer used plugin has changelog entry that indicates a possible security fix. We were not able to figure out how, before the changes being made, the described vulnerability could have been exploited. That could be because we missed something or it could because there really wasn’t that issue.
Now the WordPress security company Wordfence has made a claim that a vulnerability was fixed in that version of the plugin, that sounds loosely related to that. But it doesn’t appear to be a vulnerability at all. Here is how the describe it:
The Ultimate Member plugin for WordPress is vulnerable to open redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1.
An open redirect involves a URL that redirects to arbitrary URLs. So the URL for that might look like this: https://example.com/?redirect=https://www.pluginvulnerabilities.com/. Where the “redirect” URL parameter would cause you to be redirected from example.com to our website (or whatever URL is specified). What Wordfence seems to be describing, and it matches up with the change being made, instead involves someone being able to specify a URL of a link. There is no redirect occurring there, much less an open one.
There also doesn’t look to have been any validation added here. There was a message added when clicking on links:
This link leads to a 3rd-party website. Make sure the link is safe and you really want to go to this website:
Oddly, the plugin already provided validation for some social fields, but not for others, even they could do that.
Why is Wordfence a CVE Number Authority (CNA)?
Wordfence issued a CVE entry, CVE-2022-1209, for this false report.
Wordfence could create a CVE entry because they are CVE Number Authority (CNA). CVE describe those in this way:
In general, CNAs are vendors or other seasoned organizations with a record of researching vulnerabilities and demonstrating security advisory capabilities. They commonly have an established user base, and their security information is regularly consulted by researchers and vendors. They may also be well-established bug bounty hunters.
An onboarding process has been established to ensure that CNAs meet the standards of the CVE program. Potential CVE analysts and CNA candidates are given strict instructions for vetting vulnerabilities, including a wide range of examples and exercises. Should a CNA demonstrate the appropriate level of expertise and communication required, they are approved and become operational.
By any reasonable measure, that doesn’t describe Wordfence based on this situation or other CNAs we have run across.