Tagged: 

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • February 19, 2026 at 2:33 pm #1495223
    javanto

    Good morning everyone,
    We are an Italian agency and have developed more than 10 website using Enfold (for which I can send you all the purchase certificates), two of which are also fairly large and well-positioned e-commerce websites.
    Between February 13th and 14th, we suffered attacks due to Cross Site Scripting (XSS).
    Some sites have been fixed, others haven’t yet.
    The real problem is that Cross Site Scripting (XSS) has been classified by antivirus systems (Norton, Avira, etc.) for PCs, and many of our clients and users can no longer reach their website because they are blocked first.

    A patch for this vulnerability is URGENTLY NEEDED; the theme is practically unusable for PC users; Mac users are better off accessing it.

    Do you have a release date for the patch?
    It’s really urgent because I no longer know how to explain the situation to my clients and so many users.

    Thank you very much!
    Antonella

    February 19, 2026 at 8:51 pm #1495240
    Guenni007

    Please be honest – go to securityheaders.com and enter your website there. If you don’t have an F, then you’re okay – if you have an A+, it’s almost the gold standard for online banking.
    If you close these gates, a fix wouldn’t be necessary at all.
    https://securityheaders.com/?q=https%3A%2F%2Fwebers-testseite.de%2F&followRedirects=on

    and this csp header for scripts : script-src ‘nonce-KbhxgiTjJyYd7tEq282YPA’ ‘strict-dynamic’ ‘self’ is the nonplusultra.
    Each time you open that site – the nonce (number only used once) key will be randomly changed . if script does not include that nonce – it will be blocked!

    February 20, 2026 at 9:46 am #1495262
    javanto

    Ok Guenni007, I just tested the website and the result is a yellow B.
    I have to fix Strict Transport Security and Content Security Policy (Missing Headers).
    We’re going to fix it.

    Last Friday, the site was hacked. Instead of the homepage, we had a redirect to a Clearfix page. Admin users logged in, and fake plugins appeared. We removed everything. The next day, all the site’s images were gone.
    We downloaded the backup (site and database), deleted everything, and started over.
    We added more security plugins.
    We still don’t know what happened; it’s definitely not just Enfold, but it could also be Woocommerce, and especially Revolution Slider, which was removed in the new version.
    Nothing like this has ever happened before!
    In any case thank you so much for your advice: precious!

    February 20, 2026 at 11:11 am #1495271
    Ismael

    Hi,

    Thank you for the inquiry.

    A fix will be included in the next patch, 7.1.4. We have forwarded this thread to our channel again and you will be notified once the patch is released. Thank you for your patience.

    Best regards,
    Ismael

    February 20, 2026 at 5:22 pm #1495296
    Guenni007

    7.1.4 is downloadable now

    February 20, 2026 at 5:30 pm #1495297
    javanto

    Thanks everyone!
    I received the email for the new version 7.1.4 available, which I’ve already installed on all the websites that have Enfold.

    Thanks again!

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.