In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Contributor+ Stored XSS via Shortcode in menu shortcode

Automattic’s WPScan made this claim about a supposed contributor+ stored XSS via Shortcode vulnerability in the plugin menu shortcode:

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

We tried the proof of concept and it didn’t work. The proof of concept includes this note:

Note: The exploit works on older Safari browsers.

They don’t even know what versions are supposed to be at issue. That web browser has been publicly available since 2003, so knowing what versions are supposed to be impact would be a pre-requisite for claiming this is a vulnerability.