Automattic’s WPScan Falsely Claimed that Automattic’s WooCommerce Contained Vulnerability

In January, we looked into a mess caused by the WordPress security provider Wordfence falsely claiming that the plugin WooCommerce had contained a vulnerability. That was caused in part by Wordfence failing to do basic vetting, which they claim to do. Another provider, Patchstack had similarly false claimed that WooCommerce contained that vulnerability. Belatedly, WPScan, which, like WooCommerce, is owned by Automattic, made the same claim. They provided a proof of concept that was supposed to show the exploitation:

They also claimed that they had verified this vulnerability:

Looking at their listing, you would reasonably think the information was accurate. But it isn’t. (As is often the case.)

We tried the proof of concept, and it didn’t work. That isn’t surprising when you look at the relevant code that they refer to as “not properly sanitiz[ing] user-input” “when echoed back into JavaScript code context.” That code escapes the value using the function esc_url():

<button type="button" class="notice-dismiss" onclick="window.location = '<?php echo esc_url( $dismiss_url ); ?>';">

The proof of concept requires that single quotes are not escaped to work, but esc_url() escapes them, so the proof of concept is harmless.

How could WPScan have verified this when their own proof of concept doesn’t work and it couldn’t work if you understand the relevant code? The simplest explanation is that they don’t actually verify things, but claim they do.

Why This Matters for Those Running WooCommerce Websites

A reasonable response to this would be, so what? There wasn’t a vulnerability, so being told that there was one and it was fixed doesn’t really matter. That is true with this situation, but we also often find that with claims of vulnerabilities in plugins that extend WooCommerce is that there really is a vulnerability, but it is falsely claimed to have fixed. For example, in January we noted that the 300,000+ install PDF Invoices & Packing Slips for WooCommerce had an authenticated SQL injection vulnerability that hadn’t actually been fixed. It was only because we actually vetted things, as at least one of our customers was using the plugin, that is was found the vulnerability still existed. After that, the developer fixed it, but it took them weeks to release the fix.

Considering how insecure WordPress plugins are getting warned about known vulnerable ones can help to significantly improve the security of WooCommerce websites. But you need to make sure the source of the data is one that actually checks over vulnerability claims, which was shown above most providers don’t do.