Login

Not Really a WordPress Plugin Vulnerability

23 Jun 2021

Patchstack and Their Red Team Don’t Understand Basics of WordPress Security

One long time issue when it comes to collecting data on vulnerabilities in WordPress plugins is that many reported vulnerabilities are not really vulnerabilities. What has recently been an increasing problem though is that these false reports are coming directly from other data providers. One of those providers is Patchstack, which has something called the Patchstack Red Team. That apparently is a bug bounty program, not really a red team (or a team at all), but whatever it is, Patchstack posted a listing to their vulnerability database the other day for the plugin WP Reset that is credited to “m0ze (Patchstack Red Team)”. Looking at the details of that didn’t look promising as to that being a real vulnerability and a quick check of the code confirmed that it wasn’t.

Authenticated Stored Cross-Site Scripting (XSS) in WP Reset

The only details provided about the claimed authenticated stored cross-site scripting (XSS) vulnerability are these two proofs of concepts: [Read more]

22 Jun 2021

Pagely Doesn’t Seem That Serious About Security at Least With WordPress Plugins

There are a lot of places you can find information on vulnerabilities in WordPress plugins, but much of it is highly inaccurate. The WordPress focused web host Pagely provides one example of that. They put out a monthly post mentioning vulnerable plugins, but just a glance at last month’s post shows they are not doing basic due diligence with claimed vulnerabilities. That isn’t in line with how they market themselves:

No one takes WordPress security more seriously than Pagely.

Their information is bit confusing as they have a section headed “List of Vulnerable Plugins, May 2021” and then one headed “Plugins Removed From WordPress Repository”, but both appear to listing vulnerable plugins. The latter appears to be a list of vulnerable plugins that haven’t been fixed and based on the name you would assume ones that have been removed from the WordPress Plugin Directory. [Read more]

28 May 2021

Not Really a WordPress Plugin Vulnerability, Week of May 28

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Stored Cross-Site Scripting (XSS) in Cookie Law Bar

With the claimed stored cross-site scripting (XSS) vulnerability in Cookie Law Bar, it is stated that “an authenticated attacker can retrieve cookies / sensitive data of all WordPress users”. The first step in the proof of concept is: [Read more]

13 Mar 2020

Not Really a WordPress Plugin Vulnerability, Week of March 13

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Authenticated Stored XSS in Calculated Fields Form

A claimed authenticated stored XSS in Calculated Fields Form is described as this: [Read more]

21 Feb 2020

Not Really a WordPress Plugin Vulnerability, Week of February 21

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Remote File Upload in Contact Form 7

A claimed remote file upload vulnerability in the plugin in Contact Form 7 is good example of the fact that appearance of credible vulnerability report can be false. While the report has a proof of concept for the claimed issue, which would seem to indicate that the reporter had tested it out, they clearly didn’t. That proof of concept has a request sent directly to a file in the plugin /modules/file.php, but if you sent a request to that file it will cause a fatal error when the first line of code in the file runs: [Read more]

8 Nov 2019

The WPScan Vulnerability Database “Verified” False Report of Vulnerability in WordPress Plugin

In the past we have noted that among the many lies told by the company behind the Wordfence Security is that data they take from the WPScan Vulnerability Database (without disclosing it as the source) was “Confirmed/Validated”. At the time they did that, that data source was explicitly stating that they were not verifying vulnerabilities. More recently they have claimed to do that, but as shown again with a claimed vulnerability in the plugin WP Google Review Slider it turns out they are not actually doing that.

With the vulnerability they claim it is verified: [Read more]

18 Oct 2019

Not Really a WordPress Plugin Vulnerability, Week of October 18

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross Site Scripting in FooGallery, Popup Builder, and Soliloquy

Related claimed cross site scripting vulnerabilities in the plugins FooGallery, Popup Builder, and Soliloquy involve a common cause of false reports of persistent cross-site scripting (XSS) vulnerabilities, people not understanding that WordPress allows users with the unfiltered_html capability to do the equivalent of XSS. In this case if you follow the instruction you find that you are entering the XSS code in the title of a custom WordPress post, which is permitted to happen for users with the unfiltered_html capability, but is not permitted for those without that. [Read more]

11 Oct 2019

Not Really a WordPress Plugin Vulnerability, Week of October 11

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

SQL Injection in New Contact Form Widget & Shortcode [Standard] (Contact Form Widget – Contact Query, Form Maker)

The quality of data on vulnerabilities in WordPress plugins form other sources is quite poor, as a recent entry with CVE shows. The entry, CVE-2019-17072, makes this claim: [Read more]

27 Sep 2019

Not Really a WordPress Plugin Vulnerability, Week of September 27

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Stored Cross-Site Scripting (XSS) in Easy FancyBox

One of the changelog entries for the latest version of Easy FancyBox is “SECURITY FIX: failing color value sanitization, issue reported by Jakob Hagl sba-research.org, CVE-2019-16524”. When we noticed that changelog we went to figure out what was at issue and it looked like there wasn’t actually a vulnerability. That was confirmed by the report claiming there was one. The proof of concept for that starts with this: [Read more]

27 Sep 2019

Not Really a WordPress Plugin Vulnerability, Week of September 20

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Remote Code Execution (RCE)/Arbitrary File Upload in wpForo Forum

One of the changelog entries for version 1.6.5 of wpForo Forum is: [Read more]