Widespread WordPress Plugins and Themes Security Vulnerability

 42   Tweet

This is a general community announcement to bring your attention to an XSS vulnerability affecting multiple WordPress plugins and themes. The vulnerability is caused by a common code pattern used in WordPress plugins and themes available from ThemeForest and CodeCanyon, the wordpress.org website and other sources.

This issue is not limited to themes and plugins purchased from ThemeForest or CodeCanyon. Anyone using a WordPress website, regardless of where the theme or plugin was sourced, needs to be aware of this and take immediate action to ensure it is secure.

What should I do?

As there is no simple way of knowing exactly which plugins or themes are affected, and the issue is widespread, our best advice is to periodically check for updates to any WordPress themes or plugins you are using and apply those available as soon as possible.

Envato is actively working with all ThemeForest and CodeCanyon authors, explaining the issue and asking them to check that their items are secure and to update them if necessary.

We expect ThemeForest and CodeCanyon items to be continuously updated over the coming weeks, with the majority updated in the next few days. Updates may be downloaded from the Downloads page as they become available. If you would like to be automatically notified about new updates, please activate “Item update notifications” in your email settings.

For updates to items obtained from other sources, please check the Plugins and Themes pages in the WordPress Admin area or contact the source of the product.

We strongly recommend continuing to check for updates, especially over the next few weeks, but also on an ongoing basis. It is important to always keep your WordPress installation and associated plugins and themes up to date. If you still have concerns, we suggest engaging an experienced WordPress developer to check whether your site is affected.

More details are available via the following links:


  • Thanks for the update. If the plugins known to be affected are deactivated will the site still be vulnerable?

    • Hey Owen,

      There are some vulnerabilities which can be exploited without the plugins being active. In this case I think that’s unlikely – but I can’t guarantee that and it would be safer to delete them.

      However, see my comment to Aaron above – most of the plugins known to be affected have already been updated.

  • I’m using Infographer – Multi-Purpose Infographic Theme.

    Themes last updated 5 months ago?

    4.1.2 is not compatible with WP.

    Of course, safety is on.

    Themes 1,713 sales. Perfect number.

    But Qude does not update the theme!

    Why?

    • Hey Osman,

      We see you have left a comment for the author on the item’s Comments page. If you haven’t heard back from the author in the next week or so and you’re still concerned, we recommend engaging an experienced WordPress developer for advice/assistance

  • Aaron Dear

    I use half of the plugins on my sites or client sites. That’s some terrifying stuff.

    • Hey Aaron,

      If you are talking about the plugins listed on the sites we link to, then the good news is most of those have already been updated to address this! You just need to make sure you (and your clients) are running the latest version. Note some of those may have been updated automatically, so you may not have seen the update.

      There will be other plugins out there, not on the list, that have not yet updated. It’s important to keep checking back and processing updates as they come through. Note: this is always important.

  • ceowebmaster

    Thanks for the update.

  • Elier Berrios

    What is the danger or consequence of this vulnerability?

    • 鄭禮民

      It’s in the first paragraph about the XSS Vulnerability. You can read more about it here: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

    • Hey Elier,

      This is not about a particular known vulnerability in a particular theme or plugin, where the consequences can be evaluated. It’s about the potential for vulnerabilities in any item that uses these functions.

      Many items will be using these functions. Most of these are likely to be safe. Some will be technically vulnerable but very low risk. A few may have serious vulnerabilities. It all depends how the items use these functions.

      In theory, in the worst case scenario, an attacker may be able to execute JavaScript in your WordPress admin area, allowing them to basically do whatever they want. Note, I say ‘in theory’ – no one has actually worked out how to do this yet using these particular functions as the attack vector (as far as we know), but there may be some very clever people there working on it.

      The best advice is to keep everything (WordPress, theme, plugins) up to date, all the time.

  • Gordon Medley

    For what it’s worth, I run the free account provided by Cloundflare which allegedly blocks some, but not all threats. I’ve also got it set to block entire countries which I deem a potential risk.

  • wealthyone

    would be nice to tell us more about it other than there is a problem.
    what does it do?
    how do we as buyers check?
    What do we look for??

    • Hey WealthyOne,

      I’ll repeat what I said to Elier below:

      This is not about a particular known vulnerability in a particular theme or plugin, where the consequences can be evaluated. It’s about the potential for vulnerabilities in any item that uses these functions.

      Many items will be using these functions. Most of these are likely to be safe. Some will be technically vulnerable but very low risk. A few may have serious vulnerabilities. It all depends how the items use these functions.

      In theory, in the worst case scenario, an attacker may be able to execute JavaScript in your WordPress admin area, allowing them to basically do whatever they want. Note, I say ‘in theory’ – no one has actually worked out how to do this yet using these particular functions as the attack vector (as far as we know), but there may be some very clever people there working on it.

      The best advice is to keep everything (WordPress, theme, plugins) up to date, all the time.

  • EnvatoFan

    Hi I ready buy the Security Ninja and Malware Scanner add-on for Security Ninja, That plugins can prevent this security vulnerability?

    • Julien Desrosiers

      I don’t know for these particular plugins, but there is no tool that covers every security vulnerability out there.

    • Hi EnvatoFan,

      I agree with Julien that no tool can cover everything.

      Although those tools are sold through CodeCanyon, you’d have to ask the author (via the comments page) whether it checks for this.

      As this is a newly discovered vulnerability and there is some complexity around whether use of the functions is vulnerable or not, it would be best not to assume it checks for this, until you have confirmation from the author.

  • Sorry to hear that Carl. Unfortunately this isn’t something we can help with so we suggest engaging an experienced WordPress developer for advice/assistance. Hope you’re able to find a solution soon!

  • Thanks for the update. Hopefully all will go well and we won’t experience massive issues.

  • Thanks edoluz,

    We take security issues very seriously, so are doing everything we can.

  • Jose Matt

    Not seeing updates for the plugins I have purchased. Ninja Popups is affected by the latest update of Gravity Forms. Ninja works half the time. Maybe

    Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 49152 bytes) in /home/technetronpm/public_html/game1video.com/wp-includes/SimplePie/Parser.php on line 195

    195 is $tagName = $xml->localName;

    • Hey Jose,

      Sorry for the delay in responding. If Ninja Popups is having issues, which it seems to be, then you need to contact the author of that plugin for assistance.

  • Angela

    Hello Stephen and the team, I purchased Author Board from Mestowabo on April 1st, 2015. I downloaded it onto my drive then, but didn’t try to upload it to my file manager on my host until the last few days, which it keeps saying “The following themes are installed but incomplete. Themes must have a stylesheet and a template” once I have it uploaded and check on WordPress for it. I’ve deleted and ran through the whole process several times now, even uploading the files individually (which took all day for that try) once. And it still is saying the download I purchased from them is missing both the stylesheet and template.

    I just looked them up on Envato to see if there were any notes, etc. And did notice that on April 2nd and then yesterday they performed these changes:

    v1.0.6 (24 Apr 2015)

    – Security fixes (XSS vulnerability)

    v1.0.5 (2 April 2015)

    -New Feature: you can add different sliders on any page
    -New Feature: only page template “Front Page” now displays main slider

    Does this mean I need to re-download the theme I purchased?

    • Hey Angela, I see in a later comment that this resolved, which is great!

    • Angela

      Yeap, got it under control. Thanks! 🙂

  • dan

    Shouldn’t all WordPress themes be pulled until fixed? FORCE the authors to make the changes and no sales until they are made.

    Isn’t this the responsible approach?

    • Hey Dan,

      In previous cases where there was a known serious exploitable vulnerability in an item, we have disabled it immediately until it has been fixed. This case is different in that the vulnerability is not limited to a particular theme or plugin and can’t be easily identified.

      Many items will be using the potentially vulnerable functions. Most of these are likely to be safe (ie used in a way that there is no vulnerability). Some will be technically vulnerable but very low risk. A few may have serious vulnerabilities. It all depends how the items use these functions.

      So, we are making authors aware that they need to secure their items and are making buyers aware that they need to update. This is consistent with the way the rest of the WordPress community is approaching this issue.

  • Angela

    I can’t find my last comment, but I resolved the issue with the missing stylesheet issue. They did update the theme, but I didn’t get the new download yet. Got that shortly ago, and uploaded to my host – and now its finally showing in my Theme list on the WordPress! So, all good here – resolved. Thanks.

    • Thanks Angela, sorry for the delay in responding and glad that the situation is resolved.

  • Nitin Mohan

    I think you should not disclose this information like this until it gets solved or rather you guys should send private emails to the subscribers of you plugins and themes..

    • Hey Nitin,

      This information has already been disclosed by Sucuri (link in the post above). Anyone who wants to take advantage of this information to hack websites already can, so we decided it was best to make all of our author and buyers aware.

  • Gto Dust

    Envato Devs

    you should really, really, really investiagte in making the update process easier as it is by now. Almost every plugin out there has the option to update directly withing the WP Admin Panel. Can you imagine how time consuming it is to update dozens of CC plugins on dozens of clients website a week? I could hire someone only responsible for this tasks which is simply not how things go in 2015 regrding updating apps and websites.

    • At present it is up to each plugin author to implement their own update mechanism. We are looking into the possibility of introducing a standard update mechanism in future, but this is still some way off.

  • i would like to add by saying, keep & maintain your item’s backups!

    • Yes – update everything, but backup everything first. Thanks Ashif.

  • Hey Code Serve,

    Unfortunately that’s not related to this issue and is not something we can help you with. You should seek assistance from an experienced WordPress developer.

  • Hey Francois. Thanks for the advice. Users of this theme (and all themes), should watch for updates over the coming weeks and apply them when they come.

  • Hey Benjy,

    Unfortunately, there is no easy way to check plugins to see if they are vulnerable or not. We recommend engaging an experienced WordPress developer examine the code.

    According to the Post Status website, there were 5 plugins that may have auto-updated without you noticing:

    Jetpack, Easy Digital Downloads, P3 Plugin Profiler, Download Monitor, and Related Posts for WordPress are all opting in to automated forced updates from WordPress.org. This means that these plugins have created new releases for each major branch of their plugins to be distributed and automatically updated by the WordPress.org team.

    Any other plugins will need need to be update manually.

  • Hey Julie, Do you mean that you cannot access your WordPress admin area? If so it’s important you gain access to this (or have someone who can access it for you). Unfortunately, we are unable to help you with this and recommend contacting your hosting advisor as a first step.

    • Julie Mockerman

      Thanks, Stephen! I checked with them and found a link to “the white screen of death”. Fortunately, they walked me through resetting things through the back way, so I’m back in now. Thanks for your response!

  • Hey xssinspector,
    We are warning you now because a new potential vulnerability has recently been disclosed. This may affect a lot of plugins and themes, including those sold here through CodeCanyon and ThemeForest.

  • Hey Mikauk,
    In general, as you are using a child theme, you should be able to use FTP to replace the parent theme. However, each theme can be different and update instructions are normally provided by the theme author. If you cannot find these, you should contact the theme author for advice about how to update their particular theme.