WordPress Theme Vulnerability Confusion
I was surprised to find WP-Multiflex-03 listed in the post ”Top 10 Vulnerable WP Themes“on Blogsecurity.
At first I was speechless as it was quite a shock. Especially as I couldn’t see how a theme could cause vulnerabilities such as cross site scripting as it was alleged in this case.
With further research it seems that the predefined PHP variable “PHP_SELF” when used incorrectly can allow cross site scripting. See “Common WP Theme Vulnerabilities” for more info.
I am sure that this is all correct, but from what I remember of the WP-Multiflex-03 theme files it shouldn’t have any vulnerabilities!
Fortunately the guys over at Blogsecurity have set up a WordPress scanner called wp-scanner that will check WordPress and consequently the theme in use for vulnerabilities. This gave me a way to test the theme.
I set up a fresh install of WordPress and installed WP-Multiflex-03 and ran the test and it passed - no vulnerabilities! I also checked the other 4 earlier versions I have and all passed the test without vulnerabilities.
I have informed Blogsecurity about this and they have marked the theme as fixed but as far as I can see there never was a vulnerability in WP-Multiflex-03 which leads me to think that there is a lot more to this than meets the eye.
All I can conclude is that something is causing a vulnerability but it isn’t the theme. Blogsecurity haven’t really got to the bottom of it as they have just concluded it is the theme without verifying their findings which is a bit sloppy and not very professional for people who set themselves up as an organization dealing with blog security!
Now is there any real experts out there can make any sense of this?
This entry was posted on Tuesday, August 14th, 2007 at 8:53 pm and is filed under WordPress, WordPress Themes. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
August 15th, 2007 at 9:13 pm
I juct checked Blogsecurity. It doesn’t seem an authoritative blog. I think you can keep quite and forget it.
August 22nd, 2007 at 3:17 am
Have you recieved any “wp-andreas09″-related e-mails from Turkey (or in Turkish) recently? If so, please write me a line. If not, then just ignore the silly question…
October 4th, 2007 at 3:00 pm
How can a theme be the vulnerability? Normally the theme consists only of style elements and can’t be responsible for a vulnerability. Maybe the guy from blogsecurity has installed a plugin that was vulnerable, but I can’t believe that just a theme can be a security hole.
December 14th, 2007 at 11:56 pm
Interesting … either way, I recently installed Multiflex on a new blog I’m about to launch and love it. Thank you SO much.
I have a question though — do you have any themes available for download similar to your own webgazette look? The rounded-corner, encapsulated posts is JUST what I’m looking for!!!!
February 3rd, 2008 at 5:12 am
I agree that was a bit harsh for them to make bad publicity for something you provide to the community voluntarily without backing up their claim. Must be de-motivating for you but I hope you don’t let it get to you and you keep up the great work! People like myself REALLY appreciate your work.
March 21st, 2008 at 9:42 pm
Hoping you’ll have a chance to respond to this. I am nearly done redoing my church’s web site, using this theme (v10). It seems that it will do nicely for our purposes. Two questions I have:
When I click the “previous entries” link on the home page, it simply reloads the home page — and there are older entries I’ve put in for testing.
Second question: How difficult would it be to make the “pages” menu at the top (in the header) drop down to show the child pages? Is that a difficult task?
Thanks in advance for any advice you can provide.
Best regards,
Kurt Greenbaum