Important: Serious Vulnerability in Revolution Slider & Showbiz Pro (WordPress) Plugins

As you may know, yesterday we learned about a serious vulnerability in two popular WordPress plugins available for sale on CodeCanyon: Revolution Slider and Showbiz Pro (WordPress).

This vulnerability allows remote attackers to access the servers of all sites using early versions of these plugins. We expect numerous websites to potentially be at risk and are moving to help buyers secure their sites immediately.

Please read the official announcement on the Market Blog for:

  • Detailed information such as versions affected
  • Advice for concerned buyers
  • A list of all themes that reference either Revolution Slider or Showbiz Pro in their item description as well as bundles that included the themes or plugins

We take security very seriously at Envato and would like to apologize to all buyers affected by this incident. We are reviewing our communication systems to make sure we find out and alert buyers faster in future.

Headache time :frowning: Hope everyone moves swiftly to fix it!

Hey Natalia,

I think if we have an option to leave a message to purchasers in our update notification email, 90% of the problem will be fixed as this issue was fixed by @ThemePunch in February but not so many people were informed about it.

Cheers,
Iman

In such times it may be a nice opportunity to consider using a service like Sucuri, especially their fireWall.

Hi guys,

A while back i’ve posted on the forums a modified version of the TGM plugin that can also notify users when a new update is available in the theme package. I strongly recommend you use it as you clients can easily update the plugins as soon as you ( as an author ) add the updated plugin in your theme.

I used this modification in all my themes and the users can easily update the included plugins.

Best regards,
Stefan

This is why I absolutely hate themes that pack every known popular plugin into their theme, ok it saves me $15 buying the plugin but I am at the authors mercy when they fix issues / updates to the plugin as I don’t get my own purchase code.

I would rather spend another $15 buying the plugin to:

1 - get support from the plugin author

2 - get updates of the plugin straight away

This is constantly happening and it’s a pain in the ass for theme users, the last big one was TimThumb and it took months for sites to be fixed.

Envato need to sort out a way a theme author can bundle a plugin in their item but the theme buyer still get updates for the plugin incase the author has abandoned the theme. Not sure how this would work but there does need to be a solution

Gareth_Gillman said

This is why I absolutely hate themes that pack every known popular plugin into their theme, ok it saves me $15 buying the plugin but I am at the authors mercy when they fix issues / updates to the plugin as I don’t get my own purchase code.

I would rather spend another $15 buying the plugin to:

1 - get support from the plugin author

2 - get updates of the plugin straight away

This is constantly happening and it’s a pain in the ass for theme users, the last big one was TimThumb and it took months for sites to be fixed.

Envato need to sort out a way a theme author can bundle a plugin in their item but the theme buyer still get updates for the plugin incase the author has abandoned the theme. Not sure how this would work but there does need to be a solution

Just wanted to point out that even if the plugin is bundled with the theme , you can always purchase that specific plugin if you want extra support for it :slight_smile:

Best regards,
Stefan

Another proof that we should not be bundling plugins into our themes. When will Envato act in this matter?

ThemeFuzz said
Gareth_Gillman said

This is why I absolutely hate themes that pack every known popular plugin into their theme, ok it saves me $15 buying the plugin but I am at the authors mercy when they fix issues / updates to the plugin as I don’t get my own purchase code.

I would rather spend another $15 buying the plugin to:

1 - get support from the plugin author

2 - get updates of the plugin straight away

This is constantly happening and it’s a pain in the ass for theme users, the last big one was TimThumb and it took months for sites to be fixed.

Envato need to sort out a way a theme author can bundle a plugin in their item but the theme buyer still get updates for the plugin incase the author has abandoned the theme. Not sure how this would work but there does need to be a solution

Just wanted to point out that even if the plugin is bundled with the theme , you can always purchase that specific plugin if you want extra support for it :slight_smile:

Best regards,
Stefan

I know that and have done it but most theme buyers won’t, there is a major flaw in the current system which Envato needs to look at to protect buyers from this kind of thing

natman said

As you may know, yesterday we learned about a serious vulnerability in two popular WordPress plugins available for sale on CodeCanyon: Revolution Slider and Showbiz Pro (WordPress).

This vulnerability allows remote attackers to access the servers of all sites using early versions of these plugins. We expect numerous websites to potentially be at risk and are moving to help buyers secure their sites immediately.

Please read the official announcement on the Market Blog for:

  • Detailed information such as versions affected
  • Advice for concerned buyers
  • A list of all themes that reference either Revolution Slider or Showbiz Pro in their item description as well as bundles that included the themes or plugins

We take security very seriously at Envato and would like to apologize to all buyers affected by this incident. We are reviewing our communication systems to make sure we find out and alert buyers faster in future.

Hi,

By any chance, can you remove our Untield WP theme from the list of potential affected themes ? From the first theme version we have provided the 4.5.95 revolution slider version which is not affected by this vulnerability.

Best regards,
Stefan

Hello,

from the ThemePunch Team, we would like to sincerely apologise to all our affected customers.

We would also like to thank all our customers and other developers who use our products. We appreciate that this security flaw has caused yourselves and our fellow developers extra work.

Thanks to the support of Envato for informing all our customers and giving out our latest release to our loyal customers.

Best Regards,

ThemePunch

ThemeFuzz said

Hi,

By any chance, can you remove our Untield WP theme from the list of potential affected themes ? From the first theme version we have provided the 4.5.95 revolution slider version which is not affected by this vulnerability.

Best regards,
Stefan

the blog post say that most of those themes had been already updated.

How I see that list is for buyer to check if they purchased one of those themes and if they have the updated theme installed.

If your theme is removed someone may think the problem doesn’t have a connection with him and may not check the version he have with the one on themeforest.

doru said
ThemeFuzz said

Hi,

By any chance, can you remove our Untield WP theme from the list of potential affected themes ? From the first theme version we have provided the 4.5.95 revolution slider version which is not affected by this vulnerability.

Best regards,
Stefan

the blog post say that most of those themes had been already updated.

How I see that list is for buyer to check if they purchased one of those themes and if they have the updated theme installed.

If your theme is removed someone may think the problem doesn’t have a connection with him and may not check the version he have with the one on themeforest.

Hi,

I was mentioning that our theme in question was released almost 4 weeks ago. Our clients doesn’t have to check their plugin version as it is already the latest one :slight_smile: . I just don’t want to alarm our clients and make them test something it isn’t there .

out of topic : i see that at least one theme was soft rejected :smiley:

Best regards,
Stefan

ThemeFuzz said

I was mentioning that our theme in question was released almost 4 weeks ago. Our clients doesn’t have to check their plugin version as it is already the latest one :slight_smile: . I just don’t want to alarm our clients and make them test something it isn’t there .

well if you put it like this :smiley: then your theme have no place in that list.

off course is damaging but is damage control now. since your item is new it doesn’t have to take the burden of the past on its shoulders.

Better contact support about this, new items are very “fragile”, no need for unwanted negative publicity

ThemesDepot said

Another proof that we should not be bundling plugins into our themes. When will Envato act in this matter?

Thanks for asking, ThemesDepot. As Collis said in the main post, “We are also going to revisit how updates are handled for bundles and themes that include separate plugins.”

@Natman : Thanks a lot for creating this thread.

natman said
ThemesDepot said

Another proof that we should not be bundling plugins into our themes. When will Envato act in this matter?

Thanks for asking, ThemesDepot. As Collis said in the main post, “We are also going to revisit how updates are handled for bundles and themes that include separate plugins.”

Yep. Brilliant idea! Prohibit to use Visual Composer, Revolution and Layer Slider!.. but there may be a minor side effect: themes will stop selling.

themepunch said

Hello,

from the ThemePunch Team, we would like to sincerely apologise to all our affected customers.

We would also like to thank all our customers and other developers who use our products. We appreciate that this security flaw has caused yourselves and our fellow developers extra work.

Thanks to the support of Envato for informing all our customers and giving out our latest release to our loyal customers.

Best Regards,

ThemePunch

IMO there’s no reason to apologize. You fixed the issues long before it went public.

And those who’s still using vulnerable version of plugin are people who have no access to updates… uses pirated version in other words :slight_smile:

@natman, could you please remove all of my themes from the affected list, any that were potentially affected have been updated, and you’ve listed plenty of my themes that were released well past the 4.2 security update that fixed this flaw.

I know you’ve scraped that theme list for speed, but I can count at least 5 of my themes in that list that should be nowhere near it.

EDIT: Sorry, that list is useless I’ll admit one of my themes was affected by this, and it’s not even in that list, then you’ve added multiple of my themes that are not affected, and they are in this list?! Can’t wait for all the support tickets from my confused buyers…

||+1113079|Dream-Theme said-||
natman said
ThemesDepot said

Another proof that we should not be bundling plugins into our themes. When will Envato act in this matter?

Thanks for asking, ThemesDepot. As Collis said in the main post, “We are also going to revisit how updates are handled for bundles and themes that include separate plugins.”

Yep. Brilliant idea! Prohibit to use Visual Composer, Revolution and Layer Slider!.. but there may be a minor side effect: themes will stop selling.

This is not entirely true… Many authors have made their own frameworks and pagebuilders, as well as sliders plugins.

On a level , i would agree with limiting the authors on using these type of plugins, but only by the fact that an extended license is to cheap in my opinion. Many authors are making their themes solely based on this type of plugins ( for example, Visual composer ). There is very little input on what the author really does for a theme that includes these plugins ( coding wise ).

Best regards,
Stefan