Saturday, September 29, 2012

XSS vulnerability in multiple premium WordPress themes

According to my tests, the following premium WordPress themes by Flow / Devatic are affeted by a reflected Cross-site Scripting (XSS) vulnerability:
  • Daisho
  • Konzept
  • TheAgency
  • Sparky
  • PictureFactory
  • Paramount
  • Essence
  • Explicit
  • Eunice
  • Blaze
  • Brisk
  • Shapeless
Developer status: notified. Developer response: considered as a minor issue.

Screen-shot of the Blaze theme XSS vulnerability:

According to developer's Themeforest profile, 5482 sales have been completed. Potential number of affected customers is however unknown. I tested 26 separate websites using Flow/Devatic themes. Most of the sites are using WordPress version 3.4.x and at least two are using the latest version. All tested sites were vulnerable to reflected Cross-site Scripting.