Login

Not Really a WordPress Plugin Vulnerability

15 Apr 2022

Not Really a WordPress Plugin Vulnerability, Week of April 15

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Arbitrary File Upload to RCE in WP Import

Earlier this week we saw a concerning changelog entry for the plugin WP Import: [Read more]

15 Apr 2022

CVE, WPScan, and Patchstack Claimed That Possible Security Issue Was Addressed Five Months Before It Was

One of the changelog entries for version 4.5.9 of the WordPress plugin Download Monitor, which was released last week, is:

Fixed: Security issues regarding file downloads and download titles [Read more]

1 Apr 2022

Not Really a WordPress Plugin Vulnerability, Week of April 1

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Cross-Site Request Forgery (CSRF) in Curtain

The report for a claimed cross-site request forgery (CSRF) vulnerability in Curtain only includes a proof of concept and not the underlying code, which turns out to be important. While the proof of concept looks to produce the claimed result, changing the status of the plugin’s maintenance mode, in reality, all that is happening is that admin notice is shown that would normally run after the change already been made. The relevant code is the function admin_notices() in the file /main.php and makes not change to the maintenance mode setting: [Read more]

25 Mar 2022

Not Really a WordPress Plugin Vulnerability, Week of March 25

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Arbitrary File Deletion via Zip Slip (Authenticated) in iQ Block Country

A claimed arbitrary file deletion via Zip slip (authenticated) vulnerability in iQ Block Country is described this way: [Read more]

23 Mar 2022

The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand The Implication of Being Able to Replace WordPress

One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

One of the changelog entries for the latest version of the WordPress plugin WP Downgrade is: [Read more]

21 Mar 2022

The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand the Concept of a Backup Plugin

One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

Recently we saw what looked to be a hacker probing for usage of the plugin All-in-One WP Migration. We couldn’t find a good explanation for why that would be, either a recently fixed vulnerability in the plugin or an unfixed vulnerability that currently exists in the plugin. But WPScan did recently put out a false report of a vulnerability in the plugin that it seems like a hacker might have thought was something they could exploit. [Read more]

11 Mar 2022

Not Really a WordPress Plugin Vulnerability, Week of March 11

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated Reflected XSS (via HOST header) in XML Sitemaps

Automattic’s WPScan has long not been concerned if they spread false reports of vulnerabilities, as can been seen by this report from a few years ago we checked due to at least one of our customers using the plugin XML Sitemaps. This involves a claimed reflected cross-site scripting (XSS) vulnerability where, based on their description, they think that this type of vulnerability involves someone attacking themself: [Read more]

28 Jan 2022

Not Really a WordPress Plugin Vulnerability, Week of January 28

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Stored Cross-Site Scripting in LeadMagic

Wordfence claimed there was a Admin+ stored cross-site scripting vulnerability in LeadMagic: [Read more]

21 Jan 2022

Not Really a WordPress Plugin Vulnerability, Week of January 21

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Stored Cross-Site Scripting in Random Banner

Wordfence claimed there was a Admin+ stored cross-site scripting vulnerability in Random Banner: [Read more]

7 Jan 2022

Not Really a WordPress Plugin Vulnerability, Week of January 7

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Cross-Site Request Forgery (CSRF) in NotificationX

With a claimed cross-site request forgery (CSRF) vulnerability in the plugin NotificationX, the claimed discoverer NinTechNet, provides no explanation of why the functionality in question even needs protection against CSRF. [Read more]