29 Nov

Report This Theme Feature of WordPress Theme Directory Doesn’t Seem to Lead To Appropriate Action When Security Vulnerability Reported

What has long seem to us to be an obvious issue with the WordPress Plugin Directory is a lack of any mention of how to report security issues in plugins or a method to do that reporting, on the pages for plugins. For the people on the WordPress side of things that doesn’t seem to be obvious even though moderators repeatedly tell people reporting those through the forum that they shouldn’t be doing that (a lack of ability to conceive that what they are doing isn’t working seems endemic among the people on the WordPress team and has lead to serious issues, like websites being unnecessarily hacked). Interestingly after running across a vulnerable WordPress theme, Hueman, a couple of weeks ago we noticed that the Theme Directory actually has that sort of thing.

[Read more]

14 Nov

Full Disclosure of CSRF/PHP Object Injection Vulnerability in WordPress Theme with 70,000+ Installs

With our service we cover WordPress plugins (as you might guess from our name), but not WordPress themes. There are a number of reasons for that, including the dearth of vulnerabilities being disclosed in themes, which seems to be related to the limited amount of potentially vulnerable code in them despite it being possible for them to contain all the same types of issues as plugins. We got a reminder of that when we did a check over some of the most popular themes available in the WordPress Theme Directory against the checks we do of changes being made to plugins as part of our proactive monitoring to try to catch serious vulnerabilities before they are exploited and a few other checks. The proactive monitoring checks didn’t pull up anything, but one of the other checks brought up the fact that the theme Hueman , which has 70,000+ active installs according to wordpress.org, contains the plugin OptionTree.

[Read more]