Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • April 24, 2015 at 10:12 pm #434485
    laptophobo

    Hi. You all are probably aware by now of the “Cross-site Scripting (XSS) vulnerability” matter which is detailed here: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

    I’m using several Enfold themes, and they’re updated. So, is there a risk I need to know about here?

    April 25, 2015 at 5:46 pm #434721
    Lynnr321

    I also received an email this morning from Envato saying that Themeforest themes and plugins are vulnerable. So thank you @laptophobo for asking the question. It looks like we should be asking about the Enfold theme AND the built-in plugins it uses, right?

    April 27, 2015 at 7:27 am #435056
    Rikard

    Hey!

    It’s not really a problem for our themes. We only ship the TGM Plugin activation class with our framework which has been identified as not 100% secure and the framework will be updated for all themes with the new class asap. To exploit the class you would need admin access anyways so the chance that something bad happening is really slim. All other instances of add_query_arg seem to be secure.

    Cheers!
    Rikard

    April 27, 2015 at 6:18 pm #435486
    laptophobo

    Thanks for explaining that. I imagine this will be a popular question in the coming days.

    April 29, 2015 at 4:28 am #436464
    Rikard

    Hey @laptophobo

    That was my thought too when I read the email from Envato but we’ve only had a hand full so far :)

    Regards,
    Rikard

    May 6, 2015 at 2:44 pm #440325
    Monique

    Hi Rikard,

    Good to know there are no problems expected from this XSS vulnerability issue :-)

    Thanks & regards,
    Monique

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • The topic ‘Cross-site Scripting (XSS) vulnerability issue?’ is closed to new replies.