Recently one of our competitors in the WordPress plugin vulnerability space, WPScan, released a report claiming there was an authenticated stored cross-site scripting (XSS) vulnerability in the plugin Hana Flv Player. At first glance it appears like a lot of false reports they include in their data, but further checking showed that while the claimed vulnerability didn’t exist, there was really an even more serious vulnerability in the relevant code. As of our posting this, the plugin is still available in WordPress’ plugin directory despite that.

Their report of an “authenticated stored cross-site scripting (XSS) vulnerability” starts with this past tense claim: [Read more]