When it comes to false reports of vulnerabilities in WordPress plugins one popular source of them that is claimed vulnerabilities that can only be exploited by an Administrator level users, which is the highest level user (unless you are using WordPress Multisite). Apparently it isn’t common sense to a lot of people that someone that is Administrator would have wide ranging access, so for them to take almost activity is not a vulnerability. Their access would normally allow them the ability to install other plugins, which in some cases explicitly allows doing what is being claimed to be a vulnerability, and allow them to edit existing plugins, so even if you place security restrictions in the plugin an Administrator would normally be able to remove them. There is an exception to actions taken by an Administrator not being vulnerabilities when it is possible to cause a logged in Administrator to take an action they didn’t intend to, which we will get to a bit later.
As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.