Login

Not Really a WordPress Plugin Vulnerability

15 Sep 2023

Not Really a WordPress Plugin Vulnerability, Week of September 15

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ PHP Object Injection in Starter Templates by Kadence WP

Automattic’s WPScan claimed there had been an admin+ PHP object injection vulnerability in the plugin Starter Templates by Kadence WP. They explained it this way: [Read more]

14 Jul 2023

Not Really a WordPress Plugin Vulnerability, Week of July 14

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Arbitrary File Deletion in Ninja Forms

Patchstack recently claimed that there had been an arbitrary file deletion vulnerability in Ninja Forms. They, in part, described that this way: [Read more]

7 Jul 2023

Patchstack Claims to Be Security Point of Contact for WordPress Plugin It Made Up Vulnerability About

Recently Automattic’s WPScan claimed that the WordPress plugin Scripts n Styles had contained an admin+ stored XSS vulnerability that they explained this way:

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) [Read more]

9 Jun 2023

Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are

Recently Automattic’s WPScan claimed that there had been what is normally a fairly serious type of vulnerability in a WordPress plugin. That being, as they put it, an “unauthenticated stored XSS” vulnerability or, as we would put it, a persistent cross-site scripting (XSS) vulnerability. That would allow an attacker not logged in to WordPress to cause JavaScript code they crafted to run for other visitors of the website. Depending on where that would run, that could, among other things, be used to cause malware to be included on front end pages of the website or code that causes users logged in to WordPress as Administrators to take action they didn’t want to happen. Both of those are things that hackers have been known to try to do on a wide scale.

Here is their description of the issue: [Read more]

28 Apr 2023

Not Really a WordPress Plugin Vulnerability, Week of April 28

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated (Administrator+) SQL Injection via ‘replace_urls’ in Elementor

Yesterday, we issued an advisory warning about using plugins developed by Elementor, in part based on a security issue we found still is in the plugin. We found that while reviewing a security change being made in the latest version of the plugin. Wordfence claimed that the change fixed a vulnerability: [Read more]

31 Mar 2023

Not Really a WordPress Plugin Vulnerability, Week of March 31

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Contributor+ Stored XSS via Shortcode in menu shortcode

Automattic’s WPScan made this claim about a supposed contributor+ stored XSS via Shortcode vulnerability in the plugin menu shortcode: [Read more]

17 Mar 2023

Not Really a WordPress Plugin Vulnerability, Week of March 17

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Reflected Cross-Site Scripting in VK All in One Expansion Unit

Automattic’s WPScan made this claim about a supposed reflected cross-site scripting vulnerability in the plugin VK All in One Expansion Unit: [Read more]

10 Mar 2023

Not Really a WordPress Plugin Vulnerability, Week of March 10

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated (Administrator+) Stored Cross-Site Scripting in All in One SEO

Wordfence claimed that the plugin All in One SEO had contained a authenticated (Administrator+) stored cross-site scripting vulnerability, which they described in part this way: [Read more]

17 Feb 2023

Not Really a WordPress Plugin Vulnerability, Week of February 17

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Stored Cross-Site Scripting in Broken Link Checker

Automattic’s WPScan claimed there had been an admin+ stored cross-site scripting via import vulnerability in the plugin Broken Link Checker. They explained it this way: [Read more]

3 Feb 2023

Not Really a WordPress Plugin Vulnerability, Week of February 3

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Stored Cross-Site Scripting via Import in Ninja Forms

Automattic’s WPScan claimed there had been an admin+ stored cross-site scripting via import vulnerability in the plugin Ninja Forms. They explained it this way: [Read more]