Another Instance of Automattic Providing Misleading Information About Security of Competing WordPress Security Plugin
The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability despite that vulnerability appearing to not exist. That isn’t the only recent instance of that happening.
Recently they claimed there had been a reflected cross-site scripting vulnerability in Anti-Malware Security and Brute-Force Firewall, which has 200,000+ installs. They wrote this (that is the whole sentence, they keep missing periods at the end of sentences):
The plugin does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters
The last part of that is a critical detail:
in browsers which do not encode characters
So what web browsers would those be? They don’t say.
That might have to do with the fact that modern web browsers do encode characters in URLs, as well as any web browsers following the standard related to that, RFC 3986. Unless they can point to a reasonable scenario where this would be exploitable, this would be more accurately described as a possible or a potential vulnerability.
That seemingly misleading claim about a competing product got uncritical coverage from the Search Engine Journal. Which ran a story from Roger Montti that didn’t address what web browsers that someone would now be running would be impacted. We contacted him about that (and another recent story falsely claiming that a vulnerability in a WordPress plugin led to “full site takeover”) on Monday, but we haven’t received any response and the story hasn’t been updated.
A second news outlet, Tech Times, ran a story based on the Search Engine Journal story, which unsurprisingly also didn’t note the limitation on this being exploited, but also added another claim, seemingly based on nothing, that:
According to Search Engine Journal’s latest report, it seems like the firewall plugin accidentally patched a cross-site scripting flaw.
While not really a vulnerability, it was given the CVE ID, CVE-2022-0953, by WPScan.