172 posts
  • Collector Level 1
  • Envato Team
  • Football Player
  • 4 Years of Membership
+2 more
StephenCronin
Envato team
says

A security issue was announced today that affects many WordPress plugins and themes and which requires your attention.

Plugin and Theme Authors

Your item will be affected if you use any of the following:

  • add_query_arg()
  • remove_query_arg()
  • TGM Plugin Activation class

There is a small chance that your item will be affected if you are using the Redux or OptionTree frameworks. We are working to confirm this.

What you should do

  • Core Functions
    If you use the add_query_arg() and/or remove_query_arg() functions in your plugin or theme, you need to make sure that you are escaping these functions properly, as outlined on the Make WordPress site.
  • TGM Plugin Activation class
    If you use the TGM Plugin Activation class, then you need to update your item to include version 2.4.2. Previous advice was to use 2.4.1, which addressed the security concerns, but which had a problem with the bulk installer. This has been fixed in 2.4.2.
  • OptionTree
    If you use OptionTree, then although this does use add_query_arg and remove_query_arg, we are confident that none of the instances can be exploited. There will be an update that escapes these functions in future that you should include in your item, but you should not delay updating your items waiting for this.
    UPDATE: Version 2.5.4 of this plugin has been released and is now available from the WordPress plugin directory. This version escapes all instances of the functions and also fixes the term splitting issue for WordPress 4.2 (due to released very soon). Please update your items to use this version.
  • Redux
    If you use Redux, it also uses these functions. Most are escaped appropriately, but we have a couple of questions and have reached out the author. We will be providing you with more information very soon.
    UPDATE: There was a minor issue with Redux, which has been fixed in version 3.5.4, now available from the WordPress plugin directory. Please update your items to use this version.
  • Plugins Included With Themes
    Theme Authors: If you have included any affected third-party plugins, we will be emailing you in the coming days so that you can update your theme. In the meantime, you may want to periodically check the plugins you’ve included and see whether these have been updated.

Note: When submitting an update that addresses these issues, please include a note mentioning that this is related to the XSS vulnerability. This will allow us to prioritise the review of the updates.

Buyers

We are currently evaluating all WordPress items sold through Envato Market. Once we have done this, we will notify you if you have purchased an item that is affected. We do not have an exact timeframe for this yet, but we are treating this as a priority and will be keeping you up to date via this forum thread.

In the meantime, the best advice is to periodically check for updates to the theme and plugins you are using and apply any updates as soon as possible.

For more information see

Note

This has been cross-posted on both the CodeCanyon and ThemeForest forums and updates will be given in both places. Here is the CodeCanyon entry.

2792 posts Bird is the word..
  • Top Monthly Author
  • Trendsetter
  • Weekly Top Seller
  • United States
+11 more
Cr3ativThemes
says

Is there a way we can improve the review process for security updates Stephen. A separate queue for example? Just some way of getting the fixed item up quicker? Maybe a checkbox on upload that states ‘security update’ that gets to the top of the list or a different queue.

3804 posts
  • Power Elite Author
  • Author Level 12
  • Trendsetter
  • 8 Years of Membership
+14 more
KrownThemes
says

Hi Stephen

I’ve just tried the new TGM class and it simply doesn’t work. I change the class completely to the latest version, i delete the plugins from WordPress, and when i hit “Install Plugins” it doesn’t work. Are you sure that this new version works?

I have a critical update for another theme in the queue, and i cannot get it approved because of this security issue. Meanwhile, our users have a broken site while we try to figure out how to make the new TGM class work.

Regards, Ruben.

Later edit I see that it work now.. It works because of a patch which was applied one hour ago (actually it’s a reversion of the security patch which is clearly broken and doesn’t work) but you guys rejected our theme this morning, when the TGM class was totally broken. Nice :(

172 posts
  • Collector Level 1
  • Envato Team
  • Football Player
  • 4 Years of Membership
+2 more
StephenCronin
Envato team
says

Is there a way we can improve the review process for security updates Stephen. A separate queue for example? Just some way of getting the fixed item up quicker? Maybe a checkbox on upload that states ‘security update’ that gets to the top of the list or a different queue.

Maybe one day! But for now you just need it leave a note when you upload. We should be able to find that easily enough and these updates have priority.

172 posts
  • Collector Level 1
  • Envato Team
  • Football Player
  • 4 Years of Membership
+2 more
StephenCronin
Envato team
says

Later edit I see that it work now.. It works because of a patch which was applied one hour ago (actually it’s a reversion of the security patch which is clearly broken and doesn’t work) but you guys rejected our theme this morning, when the TGM class was totally broken. Nice :(

Yes, I had to rewrite this post several times today the status of TGM PA changed. There was an update this morning where it was totally broken. As it stands right now, it is patched for the security issue, but there appears to be a long standing bug with the bulk installs.

We’ll keep you posted on this.

2792 posts Bird is the word..
  • Top Monthly Author
  • Trendsetter
  • Weekly Top Seller
  • United States
+11 more
Cr3ativThemes
says


Is there a way we can improve the review process for security updates Stephen. A separate queue for example? Just some way of getting the fixed item up quicker? Maybe a checkbox on upload that states ‘security update’ that gets to the top of the list or a different queue.
Maybe one day! But for now you just need it leave a note when you upload. We should be able to find that easily enough and these updates have priority.

Yes we did this / do this when uploading. OK well I guess they are busy with updates right now, no problem. Thanks for the reply.

3804 posts
  • Power Elite Author
  • Author Level 12
  • Trendsetter
  • 8 Years of Membership
+14 more
KrownThemes
says


Later edit I see that it work now.. It works because of a patch which was applied one hour ago (actually it’s a reversion of the security patch which is clearly broken and doesn’t work) but you guys rejected our theme this morning, when the TGM class was totally broken. Nice :(

Yes, I had to rewrite this post several times today the status of TGM PA changed. There was an update this morning where it was totally broken. As it stands right now, it is patched for the security issue, but there appears to be a long standing bug with the bulk installs.

We’ll keep you posted on this.

But add_query_arg is still being used in the class. So the class is ok to be used now in this form? Because someone rejected our theme and asked us to us the new class which was broken at the time of speaking and at the time of our update :)

172 posts
  • Collector Level 1
  • Envato Team
  • Football Player
  • 4 Years of Membership
+2 more
StephenCronin
Envato team
says

But add_query_arg is still being used in the class. So the class is ok to be used now in this form? Because someone rejected our theme and asked us to us the new class which was broken at the time of speaking and at the time of our update :)

Yes, if you download the class now, then it should be secure. It still uses add_query_arg but escapes it where necessary.

Apologies for the confusion this morning – we saw that an update had been made to address the security concern, so started to advise people to update – but we obviously weren’t aware it was broken!

1190 posts Yes We Can
  • Author Level 10
  • Elite Author
  • Trendsetter
  • Weekly Top Seller
+7 more
CRIK0VA
says

Thanks for share.

1368 posts
  • Copyright Ninja
  • Trendsetter
  • Weekly Top Seller
  • 6 Years of Membership
+7 more
Smartik
says

Here is my solution for a quick fix: http://smartik.ws/2015/04/safe-add_query_var-and-remove_query_var/

Instead of adding everywhere esc_url, I better replace the functions names. So this is fixed with a simple global search and replace. ;)

by
by
by
by
by
by