Earlier today we full disclosed that a WordPress theme contains a vulnerability due to its inclusion of the plugin OptionTree, which we had full disclosed contained the same vulnerability last week. That plugin was removed from the Plugin Directory after the disclosure (though strangely that hasn’t happened with a security plugin that has the same type of vulnerability that we disclosed yesterday, so who knows what is going on the WordPress side of things). As we noted in the post earlier today, it looks like other themes have, at least in the past, also included the plugin as part of their code. What we have also now run across is that other themes have been separately installing it. With it removed from the Plugin Directory that doesn’t work anymore.
If those theme developers go to the Plugin Directory they wouldn’t know it was removed due to a security vulnerability as the only information given is:
This plugin was closed on November 6, 2018 and is no longer available for download.
The problem with that is that removing it won’t stop them from trying to use it, as a topic, Older themes still required OptionTree, on the support forum of the plugin started yesterday indicates. Here is the relevant part of the original post:
We are using Option Tree plugin in some of our older themes. The install is made via WordPress repository. Now, since the plugin is no longer available, install of it is unavailable. What could be the easiest solution? Is there an option to access the latest version in repo?
In response someone else pointed out where else it can be obtained:
You can still get the latest version on the github repo: https://github.com/valendesigns/option-tree, and include it in the theme package then use the TGMPA script for the installation process.
It seems the plugin has been discontinued for a long time and the chance for further development is very slim. I think we need to find an alternative to it.
What is important to note here is that just telling people that it has a vulnerability isn’t necessarily going to stop them from using it.
The Twitter account for the party that responded there about where to obtain it tweeted this the day after the plugin was removed:
Hi @valendesigns, We have recently found that the OptionTree plugin is no longer available on https://t.co/50iBYawxcd's plugin repository. Do you know what happened and will it be available again? Thanks!
— UXBARN (@uxbarn) November 7, 2018
The response to that from the developer of the plugin indicated it has a vulnerability:
A security vulnerability was found, it’s not clear when or if I’ll have time to fix it. The plugin was built for Envato back when I use to work there so I’ll need to talk to them and see if they’re interested in paying for the work to fix it. I’ll update after that conversation.
— Derek Herman (@valendesigns) November 7, 2018
Five days later that theme developer indicated they were going to being including the plugin, which they now knew to be vulnerable, in their themes for the time being:
We are updating our themes to include the OptionTree plugin directly in the package. This is just a temporary solution while we are searching for an alternative to it. All the details about this change will be posted anytime soon.
— UXBARN (@uxbarn) November 12, 2018
That seems like a good reason to repost part of post from earlier today:
We have added a check to our Plugin Security Checker that will flag the inclusion vulnerable versions of OptionTree in another plugin. While that tool is designed for plugins, if you are a customer of our service you can upload plugins not in the Plugin Directory to check those and that same capability can also be used to check themes. While looking into adding that check to the tool we found that at least a couple of commercial themes have at least in the past included it as well, so you may want to manually check themes for that inclusion of that plugin or run them through the tool, where it could also identify possible other security issues in the themes.
What can be done about people that are going to distribute to others software they know is vulnerable is something we don’t have a good answer for. Making sure that plugin vulnerabilities are fixed if the developer isn’t around would be one answer. We have offered to do that for vulnerabilities that are likely to be exploited on the average website, but doing that for every vulnerability would be quite a task.