False Positive: XSS Security Vulnerability Report in EM 22.214.171.124
Posted on November 28, 2020
Update : WPScan has already gotten back to us and removed the security vulnerability linked further down on this post. We hope that other security services will propagate the information quickly. We’re now also aware that BlogVault has started reporting this to users too.
In a nutshell: There’s a reported XSS vulnerability in Events Manager 126.96.36.199, now circulating among some security plugin scanners which is a FALSE POSITIVE (i.e. not true). We’d like to address this here to help avoid confusion this is causing.
We take security very seriously, and always encourage users to privately disclose issues directly to us via our contact form.
This doesn’t always happen, sometimes someone reports this either directly to WordPress. Thankfully, due to our long good standing with the WordPress.org community and fast reactions to any security issues that may arise, they will reach out to us and within the day (when times coincide) we investigate the issue.
This happened back at the end of August. The WordPress plugins team got in touch about a reported issue. We investigated the issue and got back to them immediately.
Thankfully, in this case, it’s a false positive, which was confirmed with the Plugins team.
The claimed XSS vulnerability report stated that an editor can add XSS strings to event and location titles, however, editors are able to do this to Posts and Pages on a vanilla WordPress install without Events Manager or any other plugin installed.
Unfortunately, for some unknown reason, this has made it through to this WPScan, which has now propagated the false-positive to iThemes and JetPack security plugins:
We’re in contact with WPScan to get this resolved. We take security very seriously and will always respond with utmost urgency to any known security report.
Last weel, I (@amicalmant) posted on your WordPress support forum about the iThemes Security’s warning about this issue last month. You’ll be happy to note that it is now marked as resolved on their latest “Vulnerabilty Roundup” post and newsletter:
Thanks for your good work. :-)
Hi Christian, thanks for letting us know. I’ll leave a comment there too because in reality there never was a vulnerability, we didn’t need to patch or fix anything, the reporting service that instigated all this took the report down within hours of me notifying them as it was an error.