{"id":2403,"date":"2015-03-30T12:00:57","date_gmt":"2015-03-30T18:00:57","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=2403"},"modified":"2015-03-30T12:00:57","modified_gmt":"2015-03-30T18:00:57","slug":"no-one-bothers-to-report-security-issue-in-wordpress-theme-either","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2015\/03\/30\/no-one-bothers-to-report-security-issue-in-wordpress-theme-either\/","title":{"rendered":"No One Bothers to Report Security Issue in WordPress Theme Either"},"content":{"rendered":"<p>For years we have\u00a0<a title=\"24 More WordPress Plugins With Publicly Known Vulnerabilities Were in Plugin Directory\" href=\"http:\/\/www.whitefirdesign.com\/blog\/2012\/03\/15\/24-more-wordpress-plugins-with-publicly-known-vulnerabilities-were-in-plugin-directory\/\">discussed<\/a> the fact that in many cases with publicly disclosed security vulnerabilities in WordPress plugins, no one bothers to notify the developer or WordPress.org about them (that\u00a0includes organizations\u00a0selling\u00a0WordPress security services like <a title=\"Wordfence and WPScan Acted Irresponsibly With WordPress Plugin Vulnerability\" href=\"http:\/\/www.whitefirdesign.com\/blog\/2014\/12\/18\/wordfence-and-wpscan-acted-irresponsibly-with-wordpress-plugin-vulnerability\/\">WordFence and WPScan<\/a>). In many cases if this was done that <a title=\"We Have Now Helped Get 16 WordPress Plugin Vulnerabilities Fixed\" href=\"http:\/\/www.whitefirdesign.com\/blog\/2015\/03\/06\/we-have-now-helped-get-16-wordpress-plugin-vulnerabilities-fixed\/\">would be enough to get them fixed<\/a>.\u00a0In other cases, when the vulnerability does not get fixed, the plugin will be pulled from the WordPress.org Plugin Directory and that will prevent more websites from adding the vulnerable plugins (alerting people that they are using plugins that have been removed from the directory is something <a title=\"WordPress Leaves Very Vulnerable Plugin In Plugin Directory\" href=\"http:\/\/www.whitefirdesign.com\/blog\/2015\/03\/16\/wordpress-leaves-very-vulnerable-plugin-in-plugin-directory\/\">we have been pushing for for years<\/a>).<\/p>\n<p>We have more than enough time taken up looking into to security issues in plugins, so we rarely\u00a0look into security issues with themes, but we happened upon one last week\u00a0that shows the lack of reporting extends to theme issues. Back on February 13\u00a0an <a href=\"http:\/\/packetstormsecurity.com\/files\/130397\/\">authenticated arbitrary file upload vulnerability was disclosed in the current version of the Fusion theme<\/a>, which <a href=\"https:\/\/wordpress.org\/themes\/fusion\/\">was available<\/a> on the WordPress.org Theme Directory. After confirming that the vulnerability existed we <a href=\"http:\/\/codex.wordpress.org\/FAQ_Security#Where_do_I_report_security_issues.3F\">reported it to WordPress.org<\/a>\u00a0and then within an hour it\u00a0was pulled from the directory.<\/p>\n<p>What was troubling is that we don&#8217;t appear to have been the only people that had taken a look. Here is a screenshot of the graph of downloads from right before the theme was taken down from the Theme Directory:<\/p>\n<p><a href=\"https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2015\/03\/fusion-theme-download-graph.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2404\" src=\"https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2015\/03\/fusion-theme-download-graph.png\" alt=\"fusion-theme-download-graph\" width=\"600\" height=\"450\" srcset=\"https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2015\/03\/fusion-theme-download-graph.png 600w, https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2015\/03\/fusion-theme-download-graph-300x225.png 300w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/a><\/p>\n<p>We are pretty sure that\u00a0spike in downloads shortly\u00a0after the disclosure is\u00a0related to people looking into the vulnerability and yet no one else looking at the issue bothered to report it. That includes the people at WPScan, who <a title=\"Wordfence and WPScan Acted Irresponsibly With WordPress Plugin Vulnerability\" href=\"http:\/\/www.whitefirdesign.com\/blog\/2014\/12\/18\/wordfence-and-wpscan-acted-irresponsibly-with-wordpress-plugin-vulnerability\/\">again<\/a>\u00a0included a vulnerability\u00a0<a href=\"https:\/\/wpvulndb.com\/vulnerabilities\/7795\">in their vulnerability database<\/a>, but didn&#8217;t report it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For years we have\u00a0discussed the fact that in many cases with publicly disclosed security vulnerabilities in WordPress plugins, no one bothers to notify the developer or WordPress.org about them (that\u00a0includes organizations\u00a0selling\u00a0WordPress security services like WordFence and WPScan). In many cases if this was done that would be enough to get them fixed.\u00a0In other cases, when &hellip; <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2015\/03\/30\/no-one-bothers-to-report-security-issue-in-wordpress-theme-either\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;No One Bothers to Report Security Issue in WordPress Theme Either&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,3],"tags":[45],"class_list":["post-2403","post","type-post","status-publish","format-standard","hentry","category-bad-security","category-wordpress","tag-wpscan"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2403","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=2403"}],"version-history":[{"count":3,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2403\/revisions"}],"predecessor-version":[{"id":2407,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2403\/revisions\/2407"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=2403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=2403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=2403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}