When it comes to false reports of vulnerabilities in WordPress plugins one popular source of them that is claimed vulnerabilities that can only be exploited by an Administrator level users, which is the highest level user (unless you are using WordPress Multisite). Apparently it isn’t common sense to a lot of people that someone that is Administrator would have wide ranging access, so for them to take almost activity is not a vulnerability. Their access would normally allow them the ability to install other plugins, which in some cases explicitly allows doing what is being claimed to be a vulnerability, and allow them to edit existing plugins, so even if you place security restrictions in the plugin an Administrator would normally be able to remove them. There is an exception to actions taken by an Administrator not being vulnerabilities when it is possible to cause a logged in Administrator to take an action they didn’t intend to, which we will get to a bit later.

This source of false reports came up with a report of an authenticated denial of service (DoS) vulnerability and an authenticated remote code execution (RCE) vulnerability in XCloner released earlier this week. With both claimed the first step in exploiting them was “Authenticate to wordpress with an administrator”, so there isn’t really a vulnerability as claimed, but they could possibly be a bug. [Read more]