Minor Security Issues

[PluginVulnerabilities]

The latest version of the plugin, 1.7.0, introduced a couple of minor security issues in to the plugin.

The function to enable or disabled beta features, toggle_beta_features(), which is located in the file /HealthCheck/Tools/class-health-check-beta-features.php, lacks a needed capabilities check to limit who can access it. There is a nonce check that normally would do the equivalent of that, but it isn’t intended for that purpose.

The function delete_screenshot() in the file /HealthCheck/class-health-check-screenshots.php allows any post to be deleted, which isn’t ideal. Perhaps a nonce check specific for the item intended to be deleted could be checked for. Or a check to make sure the post to be deleted is of the intended type. Or a combination of those.

[Clorith]

Thank you for the report, as you note these are technically negated by various other mechanics, so this will be treated as a public hardening task.

We do ask that any potential security concerns you may notice in the future be reported via the WordPress HackerOne program, in accordance with WordPress' responsible disclosure policies, and guidelines on reporting plugin security issues though, please, as this gives the team a chance to identify if it should be a public hardening task, or a non-public issue in a timely manner.

[PluginVulnerabilities]

If you want security issues reported to you privately, then you need to have a proper system in place to handle that. What you are linking to is a bug bounty program for certain types of vulnerabilities. That is fine to have, but it isn't a proper way to handle the reporting of all security issues. As there are limits on what can be reported through those (look at the scope limitations listed for that one). And there are often restrictions (sometimes legally binding) placed on handling things through those that don't work for security providers that have various obligations (which may also be legally binding) to their customers.