Not Really a WordPress Plugin Vulnerability – Week of June 23, 2017
In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post detailing those issues.
Authenticated Arbitrary File Viewing Vulnerability in Photo Gallery
The title of the report, “Path traversal in Photo Gallery may allow admins to read most files on the filesystem” seems to explain the issue well as only Administrators (or more accurately those with the “manage_options” capability) were able to take advantage of the issue and normally not only could they edit the plugin to remove protection against the issue, but they also could just install another plugin that could do what the issue in this plugin would have allowed.
Reflected Cross-Site Scripting (XSS) in Facebook Members
The claimed reflected cross-site scripting (XSS) vulnerability involves the value of the variable $_SERVER[“REQUEST_URI“]. That value is normally URL encoded by a web browser, so normally outputting it unescaped could not permit XSS. It would probably be more accurate to describe this type of issue as a possible vulnerability.