In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross-Site Scripting (XSS) Vulnerability in Tagregator

Like a lot of false reports of cross-site scripting (XSS) vulnerabilities the claim that there is one in the plugin Tagregator is based on a lack of understanding that WordPress has an unfiltered_html capability that permits Administrator (and Editor) level users from doing the equivalent of XSS.

While isn’t specified in the instructions, to access the pages where the claimed vulnerability would be exploitable you need to be logged in as a user that has the “manage_option” capability, which normally only Administrators have. Those pages allow you to create pages that are done through WordPress’ custom post system, so the same security model as normal WordPress posts/pages is used. As described in the proof of concept normally that would mean you can place JavaScript code in the title and that would run when visit the pages, when created by an Administrator. This would be as true when creating a normal post or page as it would be with what is created by the plugin. If you were to disable the unfiltered_html capability for those users that have that capability then the JavaScript code in the title would be sanitized when saved, so there isn’t a vulnerability at all here.