Not Really a WordPress Plugin Vulnerability

3 Jun 2022

Not Really a WordPress Plugin Vulnerability, Week of June 3

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Stored Cross-Site Scripting in Photo Gallery

Automattic’s WPScan made this claim about a supposed admin+ stored cross-site scripting vulnerability in the plugin Photo Gallery: [Read more]

1 Jun 2022

“Vulnerability” In 1+ Million Install WordPress Plugin XML Sitemaps (Google XML Sitemaps) Didn’t Lead to Backdoor on Websites

On April 6, the WordPress plugin XML Sitemaps (Google XML Sitemaps) was closed on WordPress’ plugin directory. The only information given was this vague message:

This plugin has been closed as of April 6, 2022 and is not available for download. This closure is temporary, pending a full review. [Read more]

27 May 2022

Not Really a WordPress Plugin Vulnerability, Week of May 27

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Reflected Cross-Site Scripting in WP Statistics

Automattic’s WPScan made this claim about a supposed reflected cross-site scripting vulnerability in the plugin WP Statistics: [Read more]

24 May 2022

Patchstack Claims “Vulnerability” in WordPress Plugin With 600,000+ Installs Was Fixed Despite No Changes Being Made

Partly because of the large number of false reports of vulnerabilities in WordPress plugins being put out by our competitors, we now put more focus on claims of vulnerabilities in plugins used by our customers. So once at least one of customers started using the plugin GA Google Analytics, our systems notified us we needed to review a report put out by one of the aforementioned competitors, Patchstack, last year on a claimed authenticated persistent cross-Site scripting (XSS) vulnerability the plugin.

The report is credited to “m0ze (Patchstack Red Team)”, so this was something coming directly from Patchstack, instead of just something they copied from somewhere else. [Read more]

20 May 2022

Not Really a WordPress Plugin Vulnerability, Week of May 20

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Reflected Cross-Site Scripting in Smush

A couple of weeks ago Automattic’s WPScan claimed that the plugin Smush had contained an admin+ reflected cross-site scripting vulnerability that involves somehow getting an Administrator to upload a file to their website: [Read more]

4 May 2022

Another Instance of Automattic Providing Misleading Information About Security of Competing WordPress Security Plugin

The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability despite that vulnerability appearing to not exist. That isn’t the only recent instance of that happening.

Recently they claimed there had been a reflected cross-site scripting vulnerability in Anti-Malware Security and Brute-Force Firewall, which has 200,000+ installs. They wrote this (that is the whole sentence, they keep missing periods at the end of sentences): [Read more]

2 May 2022

Wordfence Doesn’t Understand What an Open Redirect Is

One of the changelog entries for the latest version of the WordPress plugin Ultimate Member is:

Fixed: Issue with echo XSS on User Profile [Read more]

29 Apr 2022

Not Really a WordPress Plugin Vulnerability, Week of April 29

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Stored Cross-Site Scripting in Easy Smooth Scroll Links

A claimed admin+ stored cross-site scripting vulnerability in Easy Smooth Scroll Links is described this way: [Read more]

29 Apr 2022

Wordfence Doesn’t Appear to Understand the Security Implications of a Backup Plugin

A little over a month ago we noted that Automattic’s WPScan didn’t appear to understand the concept of a backup plugin, as they claimed that 4+ million install WordPress backup plugin, All-in-One WP Migration, contained a vulnerability that:

allows administrators to upload PHP files on their site [Read more]

26 Apr 2022

Automattic Appears to Have Falsely Claimed That Competing WordPress Security Plugin Contained Reflected XSS Vulnerability

The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability (emphasis ours):

The plugin does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.