In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

SQL Injection Vulnerability in Add Code To Head, All-in-One WP Migration, Diamond MultiSite Widgets, Smush, and Yeloni Exit Popup

Related reports of SQL injection vulnerabilities in Add Code To Head, All-in-One WP Migration, Diamond MultiSite Widgets, Smush, and Yeloni Exit Popup appears to come from someone that has no idea what a SQL injection vulnerability is. As an example, take the plugin Add Code To Head, where they claim that there is this vulnerability in the file add-code-to-head.php despite there being no SQL statements in that file and the GET parameter “id” that is supposed to be utilized as part of this, isn’t used. What they are claiming proves that there is an issue is the following, which they refer to as a “SQL Database Error”: [Read more]