Login

Tag Archives: Not Really a WordPress Plugin Vulnerability

13 Jan 2023

Not Really a WordPress Plugin Vulnerability, Week of January 13

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Reflected Cross-Site Scripting in Spectra

Automattic’s WPScan claimed there was a reflected cross-site scripting vulnerability in Spectra. They explained it this way: [Read more]

6 Jan 2023

Not Really a WordPress Plugin Vulnerability, Week of January 6

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

PHP Object Injection in White Label CMS

Automattic’s WPScan claimed there was a PHP object injection vulnerability in White Label CMS. They explained it this way: [Read more]

9 Dec 2022

Not Really a WordPress Plugin Vulnerability, Week of December 9

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

PHP Objection Injection in Phlox Core Elements

Automattic’s WPScan claimed there was a PHP objection injection vulnerability in Phlox Core Elements. Presumably they were trying to refer to “PHP object injection”. They explained it this way: [Read more]

7 Dec 2022

Patchstack Isn’t Verifying Vulnerability Info Being Copied From WPScan’s Inaccurate Data

Yesterday, we noted that the WordPress security provider WPScan isn’t verifying claimed vulnerabilities being added to their data set, despite claiming to do just that. That came in the context of them claiming that there was a vulnerability in a plugin, where what they claimed was at issue wasn’t really a vulnerability, but there really was a more serious vulnerability. That wasn’t a one-off issue.

WPScan recently claimed that the plugin Popup Maker had contained an admin+ stored cross site scripting vulnerability, which they described this way: [Read more]

5 Dec 2022

Patchstack Claimed to Provide “Early Alert and Protection” From “Vulnerabilities” Where Attacker Would Already Have Control of Website

Last week, we noted that the WordPress security provider Patchstack’s new “early alerts and protection” from plugin vulnerabilities involved them being weeks behind offering protection that keeping plugins updated would have provided and failing to offer that for a vulnerability likely to be exploited by a hacker. At the end of the week, they put out information on what they claimed were vulnerabilities that had existed in a plugin, Easy WP SMTP, used by at least one of our customers, so we went to check over that. What we found is that they were not vulnerabilities, as the “attacker” would already need to have control of the website, because they would need to be logged in as an Administrator.

One of those was claimed to be an authenticated arbitrary file deletion vulnerability, described this way: [Read more]

25 Nov 2022

Not Really a WordPress Plugin Vulnerability, Week of November 25

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Blind SSRF in Post SMTP

Automattic’s WPScan claimed an admin+ blind SSRF vulnerability had existed in Post SMTP. The description doesn’t make sense: [Read more]

15 Nov 2022

VulDB’s Alarmism on Display With False Claim of “Critical” Vulnerability in WordPress Plugin Activity Log

Earlier today someone posted on the support forum for the 200,000+ active install WordPress plugin Activity Log with the subject “Critical Exploit: Disable plugin Immediately!” and wrote this:

As reposted by CISA and NIST, NVD this plugin has a critical exploit, CVE-2022-3941, and we are removing from all of our servers pending revision and reporting from the makers. [Read more]

14 Nov 2022

Search Engine Journal’s Roger Montti Spreads Patchstack’s Misinformation About the Security of WooCommerce Plugin

A frequent source of news media misinformation on vulnerabilities in WordPress plugins is someone named Roger Montti, who writes for the Search Engine Journal. Why someone that describes themselves as a “search marketer” writing for a news outlet unrelated to security is writing about those we don’t know. Whatever the reason, his stories on the subject get included in Google News and spread on social media.

Mr. Montti’s WordPress plugin vulnerability stories are often wrong in multiple different ways and in ways that indicate he is not familiar with the subject matter (not surprising considering his non-security background). We tried in the past to gently suggest to him that information in stories was not entirely accurate, but he never corrected those stories and continued to make the same mistakes. He hasn’t gotten anyone else with knowledge of security to provide input for his stories either. The Search Engine Journal also doesn’t seem interested in addressing this, as we never got a response when we contacted them about a story from him that was outright false. [Read more]

11 Nov 2022

Not Really a WordPress Plugin Vulnerability, Week of November 11

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated (Admin+) Directory Traversal In Ultimate Member

Wordfence claimed there had been an authenticated (admin+) directory traversal vulnerability in Ultimate Member that they described this way: [Read more]

4 Nov 2022

CVE Numbering Authority VulDB Falsely Claimed That 800,000+ Install WordPress Plugin Contained Vulnerability

Yesterday, a topic was created on the WordPress Support Forum about a claimed vulnerability in the WordPress plugin The Events Calendar with the message:

VulDB published an advisory concerning a vulnerability in The Events Calendar plugin, at https://vuldb.com/?id.212632. [Read more]