Login

Not Really a WordPress Plugin Vulnerability

4 May 2018

Not Really a WordPress Plugin Vulnerability – Week of May 4, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Persistent Cross-Site Scripting (XSS) Vulnerability in WF Cookie Consent

Last week we discussed basically the same exact claimed persistent cross-site scripting vulnerability as is now claimed to be in the plugin WF Cookie Consent with a similarly named plugin Cookie Consent. As with that one the first three steps have no connection with the plugin: [Read more]

27 Apr 2018

Not Really a WordPress Plugin Vulnerability – Week of April 27, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Persistent Cross-Site Scripting (XSS) Vulnerability in Cookie Consent

With a claimed persistent cross-site scripting (XSS) vulnerability in the plugin Cookie Consent the proof of concept didn’t make a lot of sense to us: [Read more]

13 Apr 2018

Not Really a WordPress Plugin Vulnerability – Week of April 13, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Persistent Cross-Site Scripting (XSS) Vulnerabilities in WordPress File Upload

This week there were a couple of reports of claimed persistent cross-site scripting (XSS) vulnerabilities in WordPress File Upload that were supposed to have been fixed in version 4.3.3 and 4.3.4. For both of them, the proof of concept indicated that the claimed vulnerability would be exploited when logged in to WordPress. In testing things out it looked to us that you would need to be logged in as an Administrator to access them. That was confirmed by looking at the code. The page on which the issues occurred through is only accessible in the admin area of WordPress if the user has the “manage_options” capability: [Read more]

8 Dec 2017

Not Really a WordPress Plugin Vulnerability – Week of December 8, 2017

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.

Directory Traversal Vulnerability in WooCommerce

A lot of reports of vulnerabilities that turn out to be false at least seem to have a valid basis, but occasionally you have truly strange ones. The claim of a directory traversal vulnerability in WooCommerce falls into the latter category. The claim made is: [Read more]

1 Dec 2017

Not Really a WordPress Plugin Vulnerability – Week of December 1, 2017

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.

Cross-Site Scripting (XSS) Vulnerability in amtyThumb and amtyThumb posts

The claim of a cross-site scripting (XSS) vulnerability in amtyThumb posts is a bit confusing as it is stated that [Read more]

10 Nov 2017

Not Really a WordPress Plugin Vulnerability – Week of November 10, 2017

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.

SQL Injection Vulnerability in Simple Events Calendar

With a claimed SQL injection vulnerability in the plugin Simple Events Calendar the claim seems shaky before even getting in to the details as it is stated that “Type user acces: administrator user.” If a vulnerability has to be exploited by an Administrator it likely isn’t a vulnerability, since those users normally have the ability to do almost anything (including editing a plugin to remove security code or adding another plugin that can take the action that could be done through the vulnerability). [Read more]

3 Nov 2017

Not Really a WordPress Plugin Vulnerability – Week of November 3, 2017

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.

Full Path Disclosure in Inline Image Upload for BBPress

At the end of September we mentioned that the website WPCampus wasn’t properly crediting us when discussing things we had written, but it isn’t just us that is true with us. Last week in their post on plugin vulnerabilities they credited Wordfence for discovering a vulnerability, but for the other claimed issue they discussed they left out any mention of the discoverer: [Read more]

13 Oct 2017

Not Really a WordPress Plugin Vulnerability – Week of October 13, 2017

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.

Directory Traversal Vulnerability in WP Smush

There recently was a report of a directory traversal vulnerability in WP Smush. If you believed the developers (who are also the developer of a security plugin) this is a vulnerability, the changelog for version 2.7.6 is: [Read more]

6 Oct 2017

Not Really a WordPress Plugin Vulnerability – Week of October 6, 2017

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.

Reflected Cross-Site Scripting (XSS) Vulnerability in Google Doc Embedder

Earlier today we mentioned that there are a number of issues with the Plugin Directory’s reviewing plugins before they return to the directory, which is one of many issues that seems like it could be improved if the people behind that were more open about what they are doing and able incorporate outside suggestions for improvement. Another area that seems like it might be improvable based on what is describe below, is deciding when to remove plugins. [Read more]

22 Sep 2017

Not Really a WordPress Plugin Vulnerability – Week of September 22, 2017

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.

Reflected Cross-Site Scripting (XSS) Vulnerability in Shibboleth

The claimed reflected cross-site scripting (XSS) vulnerability that had been in the plugin Shibboleth is good example of why the lack of testing done for claimed security issues can lead to missing important limitations surrounding them. We first came across the claimed vulnerability when the WPScan Vulnerability Database added the claimed vulnerability, which they didn’t verify before adding to their data set. They cited two references, one being a security improvement change made to the plugin in March of 2016 and the other a discussion on the Debian mailing list. That discussion makes mention of waiting for “real world testing”, but there is no mention of it being completed. [Read more]