Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • March 10, 2022 at 2:54 pm #1344008
    Volgspot

    Hi Yigit,

    You closed the topic that started with this message:

    Hi Guys,

    I got the following security report from Zerocopter for three websites running Enfold. I am not sure this is a real security risk for the use of Enfold?

    It works the same as is described in the article below but for a unclaimed theme, like here: https://wordpress.org/themes/enfold/
    https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/

    It is called the WP theme confusion attack. I can send you all of the infromation but then I need to be able to upload the images they sent me.

    Please let me know what you think and whether you need additional information. Thanks Rob

    BUT the person who told us about the security issue says it still is a security issue because of this reason:

    This is incorrect, as soon as the WordPress update API can reach an official theme endpoint, e.g. https://wordpress.org/themes/enfold, it will prioritise that update. This is the default fallback in WordPress Core, it always checks the official /themes endpoint before checking a third-party asset.
    You can read about it in the following thread: https://wordpress.org/support/topic/custom-theme-being-replaced-with-wordpress-org-theme/
    It explains the situation quite well, even though it is a bit dated (WordPress Core works the same).

    Is it true that when hypothetically someone would claim the URL: https://wordpress.org/themes/enfold/ that the update API would prioritise that URL?

    Thanks Rob

    March 10, 2022 at 3:41 pm #1344021
    Yigit

    Hey Rob,

    Thanks for the information!

    I am still positive that WordPress theme review team would never accept a theme named Enfold to their repository. For newer/less popular themes that could be the case but Enfold has been around for almost a decade and it is one of the most popular WordPress themes so no theme named Enfold would pass WordPress review team’s strict review.

    That being said, I will forward the information to our devs and check with them once again :)

    Best regards,
    Yigit

    March 10, 2022 at 3:48 pm #1344023
    Volgspot

    Hi Yigit,

    I know it is highly hypothetical but if it is somehow possible it is a big risk to take. I also don’t know whether it is possible to claim an url before you upload a theme.

    Better safe than sorry.

    Rob

    March 14, 2022 at 2:42 pm #1344396
    Yigit

    Hi Rob,

    We have checked with WordPress themes team and they confirmed that a theme named “Enfold” will not be accepted to WordPress repository. They said that their system would not allow to upload the theme with higher than 50 active users :)

    Best regards,
    Yigit

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.