Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are
Recently Automattic’s WPScan claimed that there had been what is normally a fairly serious type of vulnerability in a WordPress plugin. That being, as they put it, an “unauthenticated stored XSS” vulnerability or, as we would put it, a persistent cross-site scripting (XSS) vulnerability. That would allow an attacker not logged in to WordPress to cause JavaScript code they crafted to run for other visitors of the website. Depending on where that would run, that could, among other things, be used to cause malware to be included on front end pages of the website or code that causes users logged in to WordPress as Administrators to take action they didn’t want to happen. Both of those are things that hackers have been known to try to do on a wide scale.
Here is their description of the issue:
The plugin doesn’t filter user input on chat, leading to bad code inserted on it be reflected on the user dashboard.
That is rather vague, and it hints there might not be a vulnerability at all. The proof of concept doesn’t help to clear up the vagueness:
1. Enter `#”><image src=/ onerror=alert(“XSS”)>` as the malicious payload into the chatbot input.
2. See XSS vulnerability.
Where exactly are you supposed to see the result of that, as suggested in step 2?
This was supposed to be fixed in version 1.1.6 of the plugin. Looking at the changes made in that version, suggests that the vulnerability hadn’t been fixed or didn’t exist in the first. The reason for that is that the only change to the code of the plugin was in JavaScript files. If the vulnerability existed, you would normally expect it to be resolved by some combination of sanitizing and or validating the input before it is stored and escaping it when it is output in PHP code of the plugin.
When we went to test this, we first had to get through a fair bit of setup before we could get to step 1. What we saw when we did step 1 confirmed there isn’t really a vulnerability here and there definitely isn’t the claimed type of vulnerability. When doing step 1, there was no request sent back to the website, which would be required for anything to be stored. Instead, the value was reflected back on the page the attacker would be on.
So the “vulnerability” here would involve someone intentionally entering malicious code in to the chat, which would then run in their own web browser. That isn’t a vulnerability. If it was, then all the major web browsers are vulnerable, as you can do exactly that through their web developer console as well.
Automattic promotes the WPscan service as “It’s like having your own team of WordPress security experts.”, despite the service being run by people who, based on this, seem to lack a basic grasp of what vulnerabilities are. (Automattic itself could certainly use help security experts, considering their repeated issues with security.)
Even if you wanted to call this a vulnerability, it would be a self-XSS, not “unauthenticated stored XSS” since nothing is ever stored.
Others Also Don’t Understand Vulnerabilities Either
WPScan isn’t alone in false claims with this.
Here is Wordfence’s description of the claimed vulnerability:
The QuBotChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
While the current page cites WPScan as the reference for the information, an archived version of their page shows that they posted this before WPScan’s published information and cited the changes made to the plugin as the reference (despite those not matching with their claim).
Another provider, Patchstack, claims that their data is “Hand curated, verified and enriched vulnerability information by Patchstack security experts.” So surely they avoided this false claim? Oh no, instead they cited Wordfence as their source and provided this inaccurate description as well:
Unknown discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress QuBotChat Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.1.6.
CVE Continues to Allow Fake Vulnerability Reports
The CVE program, which is apparently funded by the US government, and claims its mission is to “Identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.” allows WPScan, Patchstack, and Wordfence to put reports in to their system without any oversight. That is the case with this vulnerability, as WPScan has issued an ID for this, CVE-2023-2399, despite it not being a vulnerability.
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade