One long time issue when it comes to collecting data on vulnerabilities in WordPress plugins is that many reported vulnerabilities are not really vulnerabilities. What has recently been an increasing problem though is that these false reports are coming directly from other data providers. One of those providers is Patchstack, which has something called the Patchstack Red Team. That apparently is a bug bounty program, not really a red team (or a team at all), but whatever it is, Patchstack posted a listing to their vulnerability database the other day for the plugin WP Reset that is credited to “m0ze (Patchstack Red Team)”. Looking at the details of that didn’t look promising as to that being a real vulnerability and a quick check of the code confirmed that it wasn’t.

Authenticated Stored Cross-Site Scripting (XSS) in WP Reset

The only details provided about the claimed authenticated stored cross-site scripting (XSS) vulnerability are these two proofs of concepts: [Read more]