As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.
Yesterday a report of a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in version 4.6.0 of the Newsletter plugin was released. The changelog noted a security fix in the version it was supposed to have been fixed in, but the wording seemed to downplay the claimed issue, as it said “Fixed a security issue on admin side only exploitable by logged in admins”. A cross-site request forgery vulnerability involves getting someone else to access a URL that causes them to send a request to their website, so if the vulnerability had existed, to say that it was only “exploitable by logged in admins” would have been true, but misleading, since it would not have required them to be trying to exploit the vulnerability. But as we quickly found, the misleading part was describing it as a security issue. [Read more]