Not Really a WordPress Plugin Vulnerability, Week of October 14
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.
Admin+ PHP Objection Injection in Ninja Forms
Automattic’s WPScan claimed there was an admin+ PHP objection injection vulnerability in Ninja Forms. Presumably they were trying to refer to “PHP object injection”. They explained it this way:
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
As usual, they don’t appear to have checked on basic things, as they refer to an “admin”, not an actual WordPress role like Administrator (in other instances when they have referred to “admin” access it didn’t actually involve the Administrator role).
Looking at the code to access the page listed in the proof of concept, someone would need to be logged in as an Administrator, as they have to have the manage_options capability:
82 83 84 85 86 | add_submenu_page( $this->parent_slug, $this->get_page_title(), $this->get_menu_title(), apply_filters( 'ninja_forms_submenu_' . $this->get_menu_slug() . '_capability', $this->get_capability() ), |
108 109 110 | public function get_capability() { return $this->capability; |
34 | public $capability = 'manage_options'; |
An Administrator can already do the equivalent of this, so it wouldn’t be a vulnerability for them to intentionally do this. There is no explanation why they would ever unintentionally import something with malicious code and what would be imported doesn’t look like it could be coming from an untrusted source.
Admin+ SQLi in Better SearchReplace
Automattic’s WPScan claimed there was an admin+ SQLi vulnerability in Better Search Replace (though they referred to it as “Better Search and Replace”). They explained it this way:
The plugin does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks
As usual, they don’t appear to have checked on basic things, as they don’t know who could access the functionality, as they only say the vague it would be accessible by “high privilege users”. Despite that, usually being a critical detail to determine if there really was a vulnerability. The proof of concept provided involved accessing the plugin’s admin page, which is normally restricted to users with the manage_options capability, so Administrators:
86 87 | $cap = apply_filters( 'bsr_capability', 'manage_options' ); add_submenu_page( 'tools.php', __( 'Better Search Replace', 'better-search-replace' ), __( 'Better Search Replace', 'better-search-replace' ), $cap, 'better-search-replace', array( $this, 'bsr_menu_pages_callback' ) ); |
An Administrator can already do the equivalent of this, so it wouldn’t be a vulnerability for them to do this.
It is possible to change the capability needed, but the intended functionality of the plugin allows users to make arbitrary replacements of contents in the website’s database. The claimed vulnerability is SQL injection. Making arbitrary replacements to the database would be one of the most serious things that could be done with SQL injection. If an attacker had the capability to do that, they also would be able to become an Administrator, who could already do the equivalent of this.
Plugin Security Scorecard Grade for Ninja Forms
Checked on May 15, 2025See issues causing the plugin to get less than A+ grade