Login

Not Really a WordPress Plugin Vulnerability

11 Aug 2021

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Picture Gallery

A new report claims that there is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin Picture Gallery. Like a lot of recent reports this isn’t really a vulnerability as the attacker would need to be logged in to WordPress as an Administrator to exploit this. But while confirming that was in fact the case, we found that there is actually a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in somewhat related code in the plugin.

With the supposed vulnerability, it involves accessing a page only accessible to those with the manage_options capability, so Administrators: [Read more]

26 Jul 2021

WPScan Misses Real Security Issue in WordPress Plugin with 600,000+ Installs Despite Claiming to Have Verified Related “Vulnerability”

On July 18 a new version of the WordPress plugin Maintenance was released, which appeared to have a security improvement in it based on one of the changelog entries:

security fixes [Read more]

23 Jul 2021

Not Really a WordPress Plugin Vulnerability, Week of July 23

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Persistent Cross Site Scripting in Mimetic Books

A claimed persistent cross-site scripting (XSS) vulnerability in the plugin Mimetic Books has the same issue that many recent false reports have had, the attacker would need to be logged in to WordPress as an Administrator. [Read more]

16 Jul 2021

Not Really a WordPress Plugin Vulnerability, Week of July 16

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Stored Cross-Site Scripting (XSS) in WPFront Notification Bar

A claimed stored cross-site scripting (XSS) vulnerability in the plugin WPFront Notification Bar has the same issue that many recent false reports have had, the attacker would need to be logged in to WordPress as an Administrator. [Read more]

9 Jul 2021

Not Really a WordPress Plugin Vulnerability, Week of July 9

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Directory Traversal in Anti-Malware Security and Brute-Force Firewall

The report of a claimed directory traversal vulnerability in Anti-Malware Security and Brute-Force Firewall is one of the odder instances of a false report we have seen recently. The only detail provided is this proof of concept: [Read more]

8 Jul 2021

WPScan and Patchstack Spread False WordPress Plugin Vulnerability Report That Looks Like Satire of False Report

One of the things we provide to customers of our service as part of our data set on WordPress plugin vulnerabilities is information on false reports of vulnerabilities. These days the source of many of those false reports is not who you would expect, as it is the two main other data providers. One of those, WPScan, claims that they are verifying these false reports and the other, PatchStack, is claiming to be providing patches for them. In both cases, what they claim to do flies in the face of them spreading obvious false reports. One of those reports is so bad it reads like it would be someone in the industry attempt at satirizing bad reports, not something being claimed to be real.

The report involves a plugin named Hotjar Connecticator, which was removed from the WordPress plugin directory at the time this report was released. The report was published directly with WPScan: [Read more]

30 Jun 2021

WPScan’s False Claim of Vulnerability in ProfilePress

With recent vulnerabilities in the WordPress plugin ProfilePress (formerly WP User Avatar), we have been ahead the pack, being the first to identify that the new plugin replacing the previous WP User Avatar plugin, was insecure through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We also warned about the more serious vulnerabilities nearly a month before other providers. What we didn’t do is what another data provider, WPScan, has done, run with a false report of a vulnerability in the plugin. Here is the description of a claimed authenticated stored XSS vulnerability they added to their data set two days ago:

The plugin did not sanitise or escape some of its settings before saving them and outputting them back in the page, allowing high privilege users such as admin to set JavaScript payloads in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue [Read more]

25 Jun 2021

Patchstack Claims Medium Severity Vulnerability Existed When Discoverer States Issue Isn’t Real Threat

Yesterday we touched on one recent false report of a vulnerability the WordPress plugin WP Super Cache, but there were additional claimed vulnerabilities that were connected to that. With one of those, one of our competitors, Patchstack, claimed that not only there was vulnerability, but it had a medium severity:

[Read more]

24 Jun 2021

The WP Super Cache Vulnerability That Wasn’t a Vulnerability

In March, Search Engine Journal wrote a story about a “vulnerability” the very popular WordPress plugin WP Super Cache, which has 2+ million installs. The issue was described this way:

A flaw was disclosed today that exposes users of WP Super Cache to an authenticated remote code execution (RCE) vulnerability. [Read more]