One of the things we do to keep track of what vulnerabilities are out there in WordPress plugins, so that we can provide our customers the best data, is to monitor the WordPress forums for postings related to them. One thing that has lead us to notice is that the quality of postings isn’t always great, take for example a claim of a vulnerability in the plugin Advanced Custom Fields. That claim lead to three separate posts in a matter of a week all mentioning the same issue, instead of those people just adding to the existing post (that isn’t an uncommon occurrence).
In this case the claimed vulnerability is something that we don’t consider a vulnerability. The claimed issue is that the plugin allows cross-site scripting (XSS), but since the only people that would be able to access the functionality needed to do it are Editor and Administrator level users that would normally have the unfiltered_html capability, they are specifically given the ability to use the equivalent of cross-site scripting (XSS) already. It would probably be more accurate to describe the issue as a bug. The people running the Plugin Directory agreed with us that it wasn’t a vulnerability. [Read more]