_{As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.}

One thing we frequently see coming up with false reports of vulnerabilities is people not understanding that certain activities are not always a vulnerability. One serious type of vulnerability is an arbitrary file upload vulnerability, which allows someone to upload any file. That could be used to upload a .php file with malicious code and then do basically anything with the website. In WordPress an Administrator level user would normally have the equivalent capability since the can upload new plugins and themes, so it wouldn’t be a vulnerability for a plugin to allow them to do the same. [Read more]