Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #434485

    Hi. You all are probably aware by now of the “Cross-site Scripting (XSS) vulnerability” matter which is detailed here: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

    I’m using several Enfold themes, and they’re updated. So, is there a risk I need to know about here?

    #434721

    I also received an email this morning from Envato saying that Themeforest themes and plugins are vulnerable. So thank you @laptophobo for asking the question. It looks like we should be asking about the Enfold theme AND the built-in plugins it uses, right?

    #435056

    Hey!

    It’s not really a problem for our themes. We only ship the TGM Plugin activation class with our framework which has been identified as not 100% secure and the framework will be updated for all themes with the new class asap. To exploit the class you would need admin access anyways so the chance that something bad happening is really slim. All other instances of add_query_arg seem to be secure.

    Cheers!
    Rikard

    #435486

    Thanks for explaining that. I imagine this will be a popular question in the coming days.

    #436464

    Hey @laptophobo

    That was my thought too when I read the email from Envato but we’ve only had a hand full so far :)

    Regards,
    Rikard

    #440325

    Hi Rikard,

    Good to know there are no problems expected from this XSS vulnerability issue :-)

    Thanks & regards,
    Monique

Viewing 6 posts - 1 through 6 (of 6 total)
  • The topic ‘Cross-site Scripting (XSS) vulnerability issue?’ is closed to new replies.