In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Shell Upload Vulnerability in Social Share Buttons for WordPress

The report of a claimed shell upload vulnerability in Social Share Buttons for WordPress claims that it allows “Unrestricted Upload of File with Dangerous Type”. Strangely the report includes the full contents of one file from the plugin, but not the one that would actually handle uploads. Instead the file is a frontend for sending requests to the actually relevant file. If you look at the file that actually handles the uploads it restricts the extensions of files that can be uploaded to the following: [Read more]