Not Really a WordPress Plugin Vulnerability

29 Mar 2019

Not Really a WordPress Plugin Vulnerability, Week of March 29

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Open Redirect in Google Doc Embedder

A common source of claimed vulnerabilities in these posts for the past few months has been someone with the handle “KingSkrupellos” that the website Packet Storm keeps posting inaccurate reports from. With their claim of an open redirect vulnerability in Google Doc Embedder, the report doesn’t make a whole lot of sense. For example, these are the versions they list as being vulnerable: [Read more]

22 Mar 2019

Not Really a WordPress Plugin Vulnerability, Week of March 22

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Stored XSS and Password Viewing in Easy WP SMTP

In a reply in a topic about the vulnerability that was being exploited this week in Easy WP SMTP, which was subsequently deleted (as were numerous other replies), someone asked if the vulnerabilities that a report claimed existed in the plugin had been fixed. That report is nearly two years old, but we are always looking to have our data be more complete even if involves adding something fixed long ago. But what we found is that there really wasn’t a vulnerability as the person making the claim seemed to not have a great understanding of the WordPress security model. [Read more]

15 Mar 2019

Not Really a WordPress Plugin Vulnerability, Week of March 15

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Authenticated Option Update Vulnerability in CF7 Customizer

The first changelog entry for versions “1.2.0/1/2” of the plugin CF7 Customizer is [Read more]

15 Feb 2019

Not Really a WordPress Plugin Vulnerability, Week of February 15

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Local File Inclusion Vulnerability in WP Staging

The report of a claimed local file inclusion vulnerability in the plugin WP Staging is the kind of strange report we have never understood what might be the explanation of, as you have someone subtly modifying real code from a plugin to present a very different situation from reality. [Read more]

8 Feb 2019

Not Really a WordPress Plugin Vulnerability, Week of February 8

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross Site Request Forgery / Shell Upload Vulnerability in Ultimate Member

Recently many of the claimed vulnerabilities we have mentioned in these posts have come from someone with the handle “KingSkrupellos” that the website Packet Storm continues to allow to post false reports. They were at it again with a claimed cross site request forgery / shell upload vulnerability in Ultimate Member. In this case they claim that there is vulnerability in the latest version of the plugin involving files that don’t exist in it. [Read more]

1 Feb 2019

Not Really a WordPress Plugin Vulnerability, Week of February 1

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

SQL Injection Vulnerability in Add Code To Head, All-in-One WP Migration, Diamond MultiSite Widgets, Smush, and Yeloni Exit Popup

Related reports of SQL injection vulnerabilities in Add Code To Head, All-in-One WP Migration, Diamond MultiSite Widgets, Smush, and Yeloni Exit Popup appears to come from someone that has no idea what a SQL injection vulnerability is. As an example, take the plugin Add Code To Head, where they claim that there is this vulnerability in the file add-code-to-head.php despite there being no SQL statements in that file and the GET parameter “id” that is supposed to be utilized as part of this, isn’t used. What they are claiming proves that there is an issue is the following, which they refer to as a “SQL Database Error”: [Read more]

25 Jan 2019

Not Really a WordPress Plugin Vulnerability, Week of January 25

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

CSRF / Shell Upload vulnerability in Category and Page Icons

The claimed report of a CSRF/ shell upload vulnerability in the plugin Category and Page Icons is a mess. The report looks like it was copied from a real report of a restricted file upload vulnerability in the plugin from years ago and then additional information that isn’t accurate was added. If you look at the most recent version of the plugin you will find that what is claimed in the report wouldn’t even be possible with that version as the proof of concept has you sending a request to a file at /wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php, but the first line of that file restricts you from sending a direct request to the file: [Read more]

11 Jan 2019

Not Really a WordPress Plugin Vulnerability, Week of January 11

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross-Site Scripting (XSS) in Google XML Sitemaps

The report of a claimed cross-site scripting (XSS) vulnerability in Google XML Sitemaps states: [Read more]

2 Jan 2019

Not Really a WordPress Plugin Vulnerability, Week of December 28

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Shell Upload Vulnerability in Social Share Buttons for WordPress

The report of a claimed shell upload vulnerability in Social Share Buttons for WordPress claims that it allows “Unrestricted Upload of File with Dangerous Type”. Strangely the report includes the full contents of one file from the plugin, but not the one that would actually handle uploads. Instead the file is a frontend for sending requests to the actually relevant file. If you look at the file that actually handles the uploads it restricts the extensions of files that can be uploaded to the following: [Read more]

21 Dec 2018

Not Really a WordPress Plugin Vulnerability, Week of December 21

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Shell Upload in Dean’s FCKEditor For WordPress and Monsters Editor for WP Super Edit

Related reports of claimed shell upload vulnerabilities were released for Dean’s FCKEditor For WordPress and Monsters Editor for WP Super Edit this week. The claim is that both of them contain [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.