The report of the supposed vulnerability states that adding a malformed shortcode like this:
[tockify width=’beluga”‘><img/src=”tes’ “onerror=”alert(document.domain)”]
leads to an alert on the published WordPress page and this demonstrates the ability to run arbitrary code.
This is true but it’s caused by the way WordPress and browsers deal with malformed HTML. It’s unrelated to our plugin, which that malformed shortcode doesn’t even load. The same would happen with every single WordPress plugin.
For example this code, which refers to a non-existent plugin called bluebanana produces the same result.
[bluebanana width=’beluga”‘><img/src=”tes’ “onerror=”alert(document.domain)”]
We view this a false report that should have been properly vetted before being added to a vulnerability database.
We’ve sent a more detailed version of this answer to the reporting organization (we didn’t do so initially because given the silliness of the report we thought it was spam).
Hi @obverse, and thank-you @tockify for your clarification.
Anything published by an organization that a plugin developer would like to dispute would have to be taken up with them. Wordfence’s scans would stop flagging it if the vulnerability report is removed or resolved as a result of that process.
If a third-party organization disagrees with the developer over something being an issue, then our internal Threat Intelligence team would be more than happy to review it in more detail. We will need access to the original report details in order to do that, sent with some background information about the case to wfi-support @ wordfence . com
Thanks,
Peter.
