Automattic’s WPScan Still Isn’t Verifying Claimed Vulnerabilities Despite Stating Otherwise
Automattic’s WPScan recently claimed there was an admin+ arbitrary file access vulnerability in WPForms Lite. The entry claimed they had verified the vulnerability:
Testing indicates that isn’t the case.
They described the vulnerability this way:
The plugin does not validate email template paths, which could allow high privilege users such as admin (for example in multisite) to access arbitrary files on the web server via a path traversal attack
They haven’t figured out what WordPress roles are supposed to have access to the claimed vulnerability, which is a pretty strong indication that they haven’t verified the vulnerability.
The second step in the provided proof of concept requires the attacker to have access to the plugin’s admin Settings page:
2. Go to `/wp-admin/admin.php?page=wpforms-settings&view=email`.
To access that, you have to be logged in as an Administrator:
90 91 92 93 94 | add_submenu_page( 'wpforms-overview', esc_html__( 'WPForms Settings', 'wpforms-lite' ), esc_html__( 'Settings', 'wpforms-lite' ), $manage_cap, |
33 | a$manage_cap = wpforms_get_capability_manage_options(); |
2202 2203 | function wpforms_get_capability_manage_options() { return apply_filters( 'wpforms_manage_cap', 'manage_options' ); |
An Administrator can already do the equivalent of this, so it wouldn’t be a vulnerability for them to do it. But there are further problems.
We followed the proof of concept’s instructions and found it didn’t work. While it is claimed that an “email displaying contents of file” would be sent. In our testing, an email didn’t get sent if things were set up as instructed by the proof of concept. If WPScan hasn’t tested the proof of concept, which is the only specific information provided, how could they have verified the vulnerability?
The other problem with the claim is that the relevant functionality in the plugin will cause the PHP code in a specified file to run, so you wouldn’t receive the contents of the file if it is a PHP file. The proof of concept, though, involves a PHP file, /wp-admin/edit-form-comment.php (though the proof of concept also incorrectly list that as /wp-admin/wp-admin/edit-form-comment.php). So even if the proof of concept led to an email being sent for someone else, it couldn’t produce the claimed result.
Verification is Critical
Since there wasn’t really a vulnerability, the lack of verification has a limited impact. But verification is critical when there really is a vulnerability, as it is common for it to be claimed by plugin developers and the discoverer of a vulnerability, that the vulnerability has been fixed when it hasn’t.