News Outlet Claims WordPress Plugin Contained Vulnerability Because an Administrator Could Access the Website’s Database
On Friday, a news outlet that Google News includes, despite repeatedly running false stories about vulnerabilities in WordPress plugins, was at it again. Roger Montti writing for the Search Engine Journal, made this claim:
The popular Fluent Forms Contact Form Builder plugin for WordPress, with over 300,000 installations, was discovered to contain a SQL Injection vulnerability that could allow database access to hackers.
The vulnerability may have been patched in June but it was just announced on November 3, 2023.
The story, which looks like it was probably copied and pasted from different sources, contains a lot of information, but lacks a basic detail. What level of access would the attacker need to do that? That is in an important detail to determine what risk a vulnerability poses or if there even was a vulnerability to begin with.
Mr Montti implied that the developer of the plugin was covering up that a vulnerability had been fixed:
Although Patchstack’s advisory states that the vulnerability was fixed in Version 5.0.0, there is no indication of a security fix according to the Fluent Form Contact Form Builder changelog, where changes to the software are routinely logged.
It’s possible that one of those entries is the fix. But some plugin developers want to keep security fixes secret, for whatever reason.
The original source for the claim, Patchstack, which is well known for being an unreliable source for information on WordPress plugins, didn’t provide the basic information needed for anyone to check on their claim, but they did claim the attacker would need to be logged in to WordPress as an Administrator.
Someone with that level of access already has the ability to access the database for the website. So that wouldn’t be a vulnerability.
We contacted Mr. Montti on Friday to alert him to that and offered to vet claims like that for him, so he could avoid running future false stories like this one. We have not heard back from him and the story hasn’t been corrected or pulled as of writing. He also hasn’t issued an apology to the developer for implying they were hiding that a vulnerability had been fixed.