8 posts
  • Has been part of the Envato Community for over 1 year
  • Has collected 1+ items on Envato Market
WPPixelprint says

As I see issue is now fixed. I post this on forum, so people like me would know what to do. As author doesn’t care much about notifying buyers that issue existed and now fixed. In their changelog for 3.6 I see “Some minor bug fixes” :)

Yesterday, one of my clients reported that LayerSlider of his homepage was “deleting” itself and he had to recreate it. After some digging in code, I found that anyone can remove/import/duplicate these layersliders just by sending simple request without admin access, and probably someone knew this too and was just “playing”.

As my coding knowledge tells me, this vulnerability can’t harm anything else except layersliders. Mistake is completely childish, and it’s very easy to find it, probably team of developers isn’t experienced in PHP much.

3.5 version is selling on codecanyon for a few months, as I can tell, and even many themes from Themeforest have it bundled.

12 posts
  • Has been part of the Envato Community for over 2 years
  • Located in United States
GFlashedBureau says

LOL! it’s bundled with top selling Themeforest theme.

8 posts
  • Has been part of the Envato Community for over 1 year
  • Has collected 1+ items on Envato Market
WPPixelprint says

Yep, it would be great if envato had some kind of notification system for such cases.

380 posts
  • Has referred 1000+ members
  • Has sold $1,000+ on Envato Market
  • Has been a beta tester for an Envato feature
  • Has collected 100+ items on Envato Market
+4 more
krafti says

thanks, i am actually using it in one of my projects.

3 posts
  • Has referred 1000+ members
  • Has sold $500,000+ on Envato Market
  • Has collected 100+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+3 more
kreatura says

Hello,

We are the authors of this plugin.

Yes, this was a security issue, but we already fixed it quickly with version 3.6 as soon as we discovered this problem. We are sorry about this and of course it was our responsibility, but there are several reasons why we didn’t mention this issue. As you may know, most of our customers are out of reach since Envato doesn’t offer any way to alert all of our customers. So the most important reason why we didn’t want to make this issue public, because some of our customers are still using v3.5 and we actually could make it worst by letting “hackers” to get know about this issue. This is the case with this forum thread. You may alter a few LayerSlider WP users, but you also make this issue public and now some bad people can use it to mess with our customers.

We did everything we can to tell our customers how important is updating the plugin. We did write a comment in the comments section of the item, although we didn’t mentioned this issue because of the reasons above. We did make contact with popular theme authors like the Avada guys and they are now ship their themes with LayerSlider WP version 3.6.

We truly believe that this issue is a minor security case. It is only affects the plugin, there is no door for your WP installation. The intruder cannot actually delete your sliders, it is only flagged as removed, but that slider is still in your database unmodified and you can recover it at any time.

Also, it worth to mention that this issue is more like a WordPress issue rather than a plugin issue. We did assume that WP won’t let request through by visitors without permission to open the plugin page. If WP would check the permissions properly, it could never happen. And you have to understand that there is a lot of automatic subroutines in a framework which aren’t documented, so we never get a chance to know about this can cause problems.

Now the problem is that everyone who wants to make bad jokes and reads this topic will start digging about this issue and they can mess with people who aren’t updated the plugin. You should know that we can’t do anything to tell everyone about how important is updating the plugin. Really few of them will read this thread and we truly thinks this wasn’t a smart step because you basically told every “hacker” how they can use a security hole which won’t end well.

Again, this issue is already fixed and we didn’t mentioned not to cover our mistake, but the safety of our customers. We truly sorry for any inconveniences.

1442 posts
  • Has referred 10+ members
  • Has sold $1,000+ on Envato Market
  • Has collected 50+ items on Envato Market
  • Had an item featured in an Envato Pack
+3 more
WebSmacker says

Not allowing authors to contact the customers about issues like this is a major flaw in the envato system. Even if it is just a text box with a send button that emails all buyers, it would be better than nothing!

1442 posts
  • Has referred 10+ members
  • Has sold $1,000+ on Envato Market
  • Has collected 50+ items on Envato Market
  • Had an item featured in an Envato Pack
+3 more
WebSmacker says

...or even it is just a button the author can click that emails all buyers and says “CRITICAL UPDATE” in the subject line. Envato can still “control” not allowing the authors know who bought the items, but also protect the buyers from security flaws like this. What do you think?

731 posts
  • Has referred 500+ members
  • Has sold $125,000+ on Envato Market
  • Has collected 50+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+7 more
mordauk says

Also, it worth to mention that this issue is more like a WordPress issue rather than a plugin issue. We did assume that WP won’t let request through by visitors without permission to open the plugin page. If WP would check the permissions properly, it could never happen. And you have to understand that there is a lot of automatic subroutines in a framework which aren’t documented, so we never get a chance to know about this can cause problems.

That’s not true. WordPress does perform security checks on plugin pages, but only if you have registered those pages using the WordPress API (add_submenu_page() in this case).

If your code that processes add/edit/delete requests in your plugin are outside of your function that renders the admin page, you must perform your own security checks.

As your plugin is extremely popular, you should also absolutely have an auto update notification integrated. These are not difficult to build and there are quite a few resources (I wrote one of them) that show you how to do it.

Having an option to notify all buyers will never happen as it makes it far to easy to spam buyers with unsolicited emails.

1442 posts
  • Has referred 10+ members
  • Has sold $1,000+ on Envato Market
  • Has collected 50+ items on Envato Market
  • Had an item featured in an Envato Pack
+3 more
WebSmacker says

Having an option to notify all buyers will never happen as it makes it far to easy to spam buyers with unsolicited emails.

I disagree. As a buyer I want to be notified of updates. Why not have a checkbox on the authors update page that says “notify buyers of this CRITICAL update” or something like that….

731 posts
  • Has referred 500+ members
  • Has sold $125,000+ on Envato Market
  • Has collected 50+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+7 more
mordauk says


Having an option to notify all buyers will never happen as it makes it far to easy to spam buyers with unsolicited emails.
I disagree. As a buyer I want to be notified of updates. Why not have a checkbox on the authors update page that says “notify buyers of this CRITICAL update” or something like that….

Yes I would as well but Envato will not implement it because there are far too many sellers that would abuse the feature and use it to send out advertisements of their other plugins to buyers.

by
by
by
by
by
by