In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.

Reflected Cross-Site Scripting (XSS) Vulnerability in Shibboleth

The claimed reflected cross-site scripting (XSS) vulnerability that had been in the plugin Shibboleth is good example of why the lack of testing done for claimed security issues can lead to missing important limitations surrounding them. We first came across the claimed vulnerability when the WPScan Vulnerability Database added the claimed vulnerability, which they didn’t verify before adding to their data set. They cited two references, one being a security improvement change made to the plugin in March of 2016 and the other a discussion on the Debian mailing list. That discussion makes mention of waiting for “real world testing”, but there is no mention of it being completed. [Read more]