Tuesday, October 2, 2012

XSS vulnerability in Parallelus premium WordPress themes

According to my tests, at least the following premium WordPress themes by Parallelus are affected by a reflected Cross-site Scripting (XSS) vulnerability:
Developer status: contact attempt through a web-form, no response. I have also tried to contact two sites using the Unite-theme, but there has been no responses.

Update from the developer: all affected Parallelus themes are now corrected

Screen-shot of the Unite theme XSS vulnerability:

Screen-shot of a website using one of these themes - test case executes a remote Javascript:

Developer's Themeforest profile indicates over 18,000 completed sales, but not all the themes and templates are vulnerable. The number of potentially affected sites could still be high: there has been 4,816 purchases of the Unite-theme alone. Affected sites include personal blogs, but also corporate websites.

I have tested several premium WordPress themes during the last week. The number of found issues is alarming. These cases are challenging from pentesting perspective:
  • identifying potentially affected sites is a big task due to high volumes
  • contacting all affected sites would take too much time
  • many of the developers are difficult to reach and they might consider XSS as a minor issue
Therefore I'm trying to spread information through this blog and Twitter. Please help me if you think it is important to share information especially with the affected sites.

Update 6-Oct-2012 - online references:
F-Secure weblog posting
Threatpost news entry
PC Maganize Securitywatch
OSVDB entries


  1. Thank you for looking into this. We've made updates to all Parallelus themes to correct this problem.

  2. Hello Andy. Many thanks for your fast response and corrections