Envato Market Security Notice: MediaElements.js Library

Hi Everyone,

There is a known XSS vulnerability in the MediaElements.js library (versions before 2.21.2).

This library is sometimes included in themes, templates and scripts available from a variety of sources, including ThemeForest and CodeCanyon.

Note although the report linked to above mentions WordPress, the vulnerability exists in the MediaElements.js library itself and will affect all items that include it (not just WordPress items).

ThemeForest and CodeCanyon Authors:

If you use the MediaElements.js library in your items, please check your items and make sure you are using version 2.21.2 or higher. If you are using an older version, you should update your item as soon as possible.

Note: We have found in similar cases in the past that not all authors realise that they are using libraries such as this one. You may not have included it directly, but it may be included by another script that you did include in your item. We therefore recommend that all authors use grep or a similar tool to search for instances of “mediaelements.js” in your zip file.

When submitting an update that addresses these issues, please include the phrase “MediaElements.js XSS fix” in the notes. Please be careful to use this exact phrase, as it makes it easier for us to identify these updates.

If you have already updated your items, thank you!


This vulnerability is of medium severity. As far as we are aware, it is not being exploited in a widespread manner. This affects a relatively small amount of items on ThemeForest and CodeCanyon, but we are asking authors to check that their items are secure and to update them if necessary.

It is important that you monitor the items you have purchased for any updates and to install any updates provided by the author as soon as possible after they are released.

You can check for updates on the Downloads page. If you would like to be automatically notified about new updates, please activate “Item update notifications” in your email settings.

1 Like