Today a competing a data source on vulnerabilities in WordPress plugins, Patchstack, released a vague disclosure of a claimed vulnerability in the plugin Backup Migration, which has 20,000+ installs. The only information provided is that it is supposed to be an authenticated persistent cross-site scripting (XSS) vulnerability that was fixed in version 1.1.6 of the plugin.

The changelog entry related to that hints that there wasn’t really a vulnerability, as what it describes sounds like a lot of recent claimed vulnerabilities of this type that involve an Administrator being able to do something they are allowed to do: [Read more]