Tag Archives: CVE – Page 3 – Plugin Vulnerabilities

25 Mar 2022

Not Really a WordPress Plugin Vulnerability, Week of March 25

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Arbitrary File Deletion via Zip Slip (Authenticated) in iQ Block Country

A claimed arbitrary file deletion via Zip slip (authenticated) vulnerability in iQ Block Country is described this way: [Read more]

24 Mar 2022

WPScan Issues Two CVE IDs for Same Vulnerability While Failing to Warn for 7 Months That It Was Unfixed

On August 9, 2021, a security update was released for the WordPress plugin Favicon by RealFaviconGenerator, which has 200,000+ installs. The changelog for that was:

Fix XSS security issue, reported by WPSpan.com. See https://wpscan.com/vulnerability/ed9d26be-cc96-4274-a05b-0b7ad9d8cfd9?fbclid=IwAR2aRMXRjbGm9ppoI9tM-OHm26Q0ax4yt0MkcP5sp0-pz9D4eVIEHQwvG1Y [Read more]

23 Mar 2022

The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand The Implication of Being Able to Replace WordPress

One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

One of the changelog entries for the latest version of the WordPress plugin WP Downgrade is: [Read more]

21 Mar 2022

The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand the Concept of a Backup Plugin

One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

Recently we saw what looked to be a hacker probing for usage of the plugin All-in-One WP Migration. We couldn’t find a good explanation for why that would be, either a recently fixed vulnerability in the plugin or an unfixed vulnerability that currently exists in the plugin. But WPScan did recently put out a false report of a vulnerability in the plugin that it seems like a hacker might have thought was something they could exploit. [Read more]

9 Mar 2020

Fortinet’s FortiGuard Labs Is Putting Out Reports That Falsely Claim Vulnerabilities in WordPress Plugins Have Been Fixed

Recently if you were relying on other sources for information on vulnerabilities in WordPress plugins you use you would have seen it claimed that Envira Gallery Lite recently contained a vulnerability that was fixed in version 1.7.7.

Here is that on the CVE : [Read more]

10 May 2019

While Others Mislabel a Possible Vulnerability, We Find a Vulnerability in Custom Field Suite

The changelog for the latest version of the WordPress plugin Ultimate FAQ is “Fixes a minor possible XSS issue”, we don’t know where the possible part comes from since that fixes a vulnerability and when we contacted the developer about that vulnerability we offered to provide them a proof of concept that confirmed that vulnerability was in fact exploitable. Vulnerabilities being inaccurately referred to as a possible or potential vulnerability isn’t an uncommon issue. By comparison the changelog for the latest version of Custom Field Suite is “Fix: prevent possible XSS for logged-in editors or admins (props reddy.io)” and what was fixed there would actually be a described as a possible vulnerability, since it involves allowing those users to do something they normally are permitted to do anyway due to them normally having the “unfiltered_html” capability.

Unfortunately, unlike us, other data sources don’t seem to care much for accuracy as that was added to the CVE’s data without that important qualifier: [Read more]

10 May 2019

More of CVE’s Inaccurate Information on WordPress Plugin Vulnerabilities

Earlier this week we noted that in starting to take a closer look at CVE entry data on vulnerabilities in WordPress plugins we found that their information can be problematic. An entry added in the last day is even worse. Here is the information given for CVE-2019-11869:

The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting. [Read more]

8 May 2019

This Isn’t a Great Indication of the Quality of Data on WordPress Plugin Vulnerabilities in CVE’s Data

While we provide our customers much better data on vulnerabilities in WordPress plugins then you will find elsewhere we are always looking to further improve what we are doing, since we know that is more that we can do. One thing we just started looking into was more closely monitoring data from the Common Vulnerabilities and Exposures (CVE) system. Though just days into that we ran into an entry that doesn’t point to great quality with the data.

This involves entry CVE-2018-19456, which is described as: [Read more]

28 Jun 2018

CVE Doesn’t Provide Great Information on WordPress Related Vulnerabilities

The last few days we have had a bit of traffic to our website from a page on the website of the Common Vulnerabilities and Exposures (CVE), which aims to be “a list of common identifiers for publicly known cybersecurity vulnerabilities” and is “is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security“. The page that traffic is coming from is for a claimed vulnerability in WordPress, described as follows:

WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. . [Read more]