Login

Not Really a WordPress Plugin Vulnerability

17 Dec 2021

Not Really a WordPress Plugin Vulnerability, Week of December 17

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Reflected Cross-Site Scripting in LiteSpeed Cache

With a claimed admin+ reflected cross-site scripting vulnerability in LiteSpeed Cache the WPScan Vulnerability Database provided this proof of concept: [Read more]

10 Dec 2021

Not Really a WordPress Plugin Vulnerability, Week of December 10

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated Stored Cross-Site Scripting in Fathom Analytics

Wordfence made this claim about the plugin Fathom Analytics: [Read more]

9 Dec 2021

Mandiant’s Odd Idea of a “Vulnerability” With High Exploitability

Mandiant is a high-profile cybersecurity company, though considering how bad security is these days, being a high-profile company isn’t necessarily an indication of being good at security. Looking at a report from them of a claimed “stored Cross Site Scripting (XSS) vulnerability” (unusual capitalization is in the original) in the WordPress plugin Debug Meta Data you get a sense that they might not be good at security.

Under the Exploitability section of their report, they write this: [Read more]

3 Dec 2021

Not Really a WordPress Plugin Vulnerability, Week of December 3

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated Stored XSS in Asgaros Forum

This week Wordfence claimed there had been an authenticated stored XSS vulnerability in Asgaros Forum and it was fixed. They described it this way: [Read more]

26 Nov 2021

Not Really a WordPress Plugin Vulnerability, Week of November 26

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Stored Cross-Site Scripting (XSS) in ZOHO CRM Lead Magnet

With a claimed store cross-site scripting (XSS) vulnerability in the plugin ZOHO CRM Lead Magnet, the exploitation steps involved being logged in to WordPress. The security company behind this claim, Cyber Security Works, oddly didn’t mention what role was required to take the actions mentioned. That is important, since it turns out that only Administrators are allowed access. That is because all the plugin’s admin pages require the “manage_options” capability to access them: [Read more]

22 Nov 2021

Microsoft, Cyber Security Works, and Patchstack Don’t Understand a Basic Element of Security

Recently a security company we had not heard of before, named Cyber Security Works, released a report on a claimed stored cross-site scripting vulnerability that had been in the WordPress plugin Microsoft Clarity. The report is a mess.

They list the “affected vendor” as “WordPress 5.8.1”, while the actual vendor is Microsoft. [Read more]

12 Nov 2021

Not Really a WordPress Plugin Vulnerability, Week of November 12

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Arbitrary File Deletion in Backup and Restore For WP

With a claimed arbitrary file deletion vulnerability in Backup and Restore For WP, no report is provided, only a HTTP request and the response to it. That information made it look like this isn’t a vulnerability and looking at the underlying code confirms it. [Read more]

29 Oct 2021

Not Really a WordPress Plugin Vulnerability, Week of October 29

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Stored Cross Site Scripting in WP Sitemap Page

WPScan claimed that the plugin WP Sitemap Page contained a “Admin+ Stored Cross Site Scripting”, stating this: [Read more]

22 Oct 2021

Not Really a WordPress Plugin Vulnerability, Week of October 22

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Arbitrary File Upload in Catch Themes Demo Import

In another claim from Wordfence and Thinkland Security Team, it was claimed that there was an admin+ arbitrary file upload vulnerability in Catch Themes Demo Import. The claimed vulnerability here involves being logged in as an Administrator to do something that an Administrator can already do: [Read more]