In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Cross-Site Scripting (XSS) in Alert Before Your Post

Our firewall plugin has been blocking attempts trying to exploit what at least one hacker believes to be a vulnerability in the plugin Alert Before Your Post, where the attempt looks like this:

/wp-content/plugins/alert-before-your-post/trunk/post_alert.php?name=</script><script>alert(document.domain)</script>

That appears to be related to a claimed vulnerability given the CVE ID 2011-5107. Looking at the plugin’s code it looks like someone confused the possibility of a different vulnerability with what is being claimed to be a vulnerability with that.

If you try that exploit attempt, it causes a PHP error message to be shown, which starts
“Fatal error: Uncaught Error: Call to undefined function register_activation_hook() in”. That refers to the first line of code in the file that actually runs, which is this:

154

register_activation_hook(__FILE__,'plugin_activate');

That is calling a WordPress function, which as the error message says, doesn’t exist if you call the file directly. So nothing happens here other than an error. So there isn’t a vulnerability here.

Cross-Site Scripting (XSS) in Skysa App Bar

Our firewall plugin has been blocking attempts trying to exploit what at least one hacker believes to be a vulnerability in the plugin Skysa App Bar, where the attempt looks like this:

/wp-content/plugins/skysa-official/skysa.php?submit=</script><script>alert(document.domain)</script>

That appears to be related to a claimed vulnerability given the CVE ID 2011-5179. Looking at the plugin’s code it looks like someone confused the possibility of a different vulnerability with what is being claimed to be a vulnerability with that.

If you try that exploit attempt, it causes a PHP error message to be shown, which starts
“Fatal error: Uncaught Error: Call to undefined function add_action() in”. That refers to the first line of code in the file, which is this:

10

add_action('get_footer', 'filter_footer');

That is calling a WordPress function, which as the error message says, doesn’t exist if you call the file directly. So nothing happens here other than an error. So there isn’t a vulnerability here.

Cross-Site Scripting (XSS) in Advanced Text Widget

Our firewall plugin has been blocking attempts trying to exploit what at least one hacker believes to be a vulnerability in the plugin Advanced Text Widget, where the attempt looks like this:

/wp-content/plugins/advanced-text-widget/advancedtext.php?page=</script><script>alert(document.domain)</script>

That appears to be related to a claimed vulnerability given the CVE ID CVE-2011-4618. Looking at the plugin’s code it looks like someone confused the possibility of a different vulnerability with what is being claimed to be a vulnerability with that.

If you try that exploit attempt, it causes a PHP error message to be shown, which starts
“Fatal error: Uncaught Error: Call to undefined function plugin_basename() in”. That refers to the first line of code in the file, which is this:

11

define("ATW_BASENAME", plugin_basename(dirname(__FILE__)));

That is calling a WordPress function, which as the error message says, doesn’t exist if you call the file directly. So nothing happens here other than an error. So there isn’t a vulnerability here.

Cross-Site Scripting (XSS) in Flexible Custom Post Type

Our firewall plugin has been blocking attempts trying to exploit what at least one hacker believes to be a vulnerability in the plugin Flexible Custom Post Type, where the attempt looks like this:

/wp-content/plugins/flexible-custom-post-type/edit-post.php?id=</script><script>alert(document.domain)</script>

That appears to be related to a claimed vulnerability given the CVE ID 2011-5106. Looking at the plugin’s code it looks like someone confused the possibility of a different vulnerability with what is being claimed to be a vulnerability with that.

If you try that exploit attempt, it causes a PHP error message to be shown, which starts
“Fatal error: Uncaught Error: Call to undefined function _e() in”. That refers to the first line of code in the file, which is this:

2

<h2><?php _e('Custom Post Type','fcpt'); ?></h2>

That is calling a WordPress function, which as the error message says, doesn’t exist if you call the file directly. So nothing happens here other than an error. So there isn’t a vulnerability here.