Not Really a WordPress Plugin Vulnerability, Week of November 25
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.
Admin+ Blind SSRF in Post SMTP
Automattic’s WPScan claimed an admin+ blind SSRF vulnerability had existed in Post SMTP. The description doesn’t make sense:
The plugin does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example.
So the claim is that functionality is limited to the highest privilege users, Administrators, but also it doesn’t have “proper authorisation”, presumably they are referring to limit accessing to certain users. Those two things can’t both be true.
Looking at the changes made in the version that was supposed to fix this, there was a capabilities check added. But there was already a nonce check, which would in normal circumstances limit access already, hence the claim that access was already limited.
It is still possible for an Administrator to do the equivalent of server-side request forgery (SSRF) after the change was made, so if there was a vulnerability there still would after the change, so WPScan’s information is incomprehensible.
As Administrators can do what is claimed to be a vulnerability without the plugin, this wouldn’t be a vulnerability.
This false report was given a CVE id by WPScan, CVE-2022-2352, despite not really being a vulnerability.
Admin+ Stored Cross-Site Scripting in Post SMTP
Automattic’s WPScan also claimed an admin+ stored cross-site scripting vulnerability had existed in Post SMTP. The description is as follows:
The plugin does not escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed.
The proof of concept says that you would have to have access to the plugin’s admin pages to do that:
Put the following payload in the Post SMTP > Settings > Advanced > "Temporary Directory" settings: /tmp" style=animation-name:rotation onanimationstart=alert(/XSS/)//
Looking at the code, the only users with access would be those with the Administrator role.
If an attacker is logged in as an Administrator they can do basically whatever they want, including usually allowing the unfiltered_html capability, so this really wouldn’t be a vulnerability.
This false report was given a CVE id by WPScan, CVE-2022-2351, despite not really being a vulnerability.