Security Vulnerability Affecting prettyPhoto jQuery Script

Update Two (9 July)

We have now disabled any items identified as containing prettyPhoto which are not marked as updated.

There seem to be quite a few authors who believe they are not using prettyPhoto in their items. If your item has been disabled with a note linking to this forum post, then we have found prettyPhoto somewhere in your item zip file. Please search for “.fn.prettyPhoto” in your files (using something like grep). Once found, please update it to the latest version (3.1.6) and resubmit your item.

There have been a few cases where we have not correctly marked items as updated, even though the author has updated the item and resubmitted it using the correct wording in the notes. As a result, the items have been disabled. We apologise if this has happened to you. If it has happened to you, please leave a note here (we’ll be monitoring this thread) and we will re-enable your item as quickly as possible.

Thank you everyone!

Update One

We emailed all authors with affected items on 25th June 2015, letting them know that that we will begin disabling items on Wed 1st July. This has been delayed until Mon 6th July.

The email had a subject of “Envato Market Security Notice: Disabling items (prettyPhoto)”. If you received this email, you need to read it carefully and follow the actions outlined in it to avoid your items being disabled.

Original Post

This was first reported in July 2014 (in Spanish), but has received wider exposure in the last few days.

ThemeForest and CodeCanyon Authors:

If you use the prettyPhoto script in your items, please check your items and make sure you are using version 3.1.6. If you are using an older version, you should update your item as soon as possible. We’ll be working towards identifying any affected items and disabling those that are not fixed within a certain timeframe (to be announced).

When submitting an update that addresses these issues, please include the phrase “prettyPhoto XSS fix” in the notes. Please be careful to use this exact phrase, as it makes it easier for us to identify these updates. This will allow us to prioritise the review of updates relating to this issue.

Note: ThemeForest authors, if you include Visual Composer in your items, please be aware that this was using an insecure version of prettyPhoto. It has now been updated to use the secure version. Please update your items to use version 4.5.3 of Visual Composer.

Buyers:

As far as we are aware, this vulnerability is not being exploited in a widespread manner, despite being nearly a year old. We believe this affects a relatively small amount of items on ThemeForest and CodeCanyon, but we will be working with authors and asking them to check that their items are secure and to update them if necessary.

If you wish to check whether your items include an affected version of prettyPhoto, we suggest first checking each item’s documentation to see whether it mentions prettyPhoto and the version number. If it does not, you will need to search the item’s file structure for the jquery.prettyphoto.js file. In most cases, authors will place all included javascript files in a common folder named something similar to “includes”, “js”, “scripts”, “assets”, etc. If you find the jquery.prettyphoto.js file, open it with a text editor and check the version number.

• If you have version 3.1.6, then you have a secure version of the file and no further action is necessary.
• If you have an older version, please update your item as soon as the author has provided updated files.
• If you can’t find the file and there is no mention of it in the item’s documentation, then you are unlikely to be using prettyPhoto. We would still advise you to watch for any updates for your items and apply any that become available, as this is general best practice.

You can check for updates on the Downloads page. If you would like to be automatically notified about new updates, please activate “Item update notifications” in your email settings.

AAAH! Just Started updating items…

Thinking forward, I think these issues could be presented to authors more clearly, perhaps a dashboard tab related to recent security issues? We could tick off the ones that don’t apply to our themes and even assign existing items to each issue so that when we update the theme we’re presented with a notification that the update needs to include a fix for issue X, Y or Z.

Given the importance of some of these issues, I think a better announcements and management tool would be fantastic for everyone involved.

Thanks for communicating this Stephen!

tommusrhodus said

Thinking forward, I think these issues could be presented to authors more clearly, perhaps a dashboard tab related to recent security issues? We could tick off the ones that don’t apply to our themes and even assign existing items to each issue so that when we update the theme we’re presented with a notification that the update needs to include a fix for issue X, Y or Z.

Given the importance of some of these issues, I think a better announcements and management tool would be fantastic for everyone involved.

Thanks for communicating this Stephen!

Some great ideas there @tommusrhodus - thanks, we’ll look into what we can do.

HA HA HA. Thanks for giving this information. I am updating this

Hi All,

Just updated the original post to say:

Note: ThemeForest authors, if you include Visual Composer in your items, please be aware that this currently uses an insecure version of prettyPhoto. We have contacted the author and are hopeful that a new version will be coming soon. You will need to wait until this is fixed and then update Visual Composer in your items.

Thanks for notifying us. We just pushed update for Visual Composer and it is using latest and secure version of prettyPhoto (3.1.6) now.

Hi All,

Just updated the original post to say this:

Note: ThemeForest authors, if you include Visual Composer in your items, please be aware that this was using an insecure version of prettyPhoto. It has now been updated to use the secure version. Please update your items to use version 4.5.3 of Visual Composer.

WPBakery - thanks for updating so quickly!

StephenCronin said

Hi All,

Just updated the original post to say this:

Note: ThemeForest authors, if you include Visual Composer in your items, please be aware that this was using an insecure version of prettyPhoto. It has now been updated to use the secure version. Please update your items to use version 4.5.3 of Visual Composer.

WPBakery - thanks for updating so quickly!

Hi I receveid the email with some theme to update. But my themes don’t load or use the in the back-end and front-end the prettyPhoto plugin but use a FancyBox js script.

I use Visual Composer but I removed the css and js original of the plugin and load mine scripts.

some thoughts?

@StephenCronin you do realize what that “vulnerability” does?

For your information: https://packetstormsecurity.com/files/124096/WordPress-Pretty-Photo-Cross-Site-Scripting.html

Strictly speaking this is not a vulnerability. There’s zero server-side risk.

What’s the point of making people updating their stuff?

Hey Bluxart,

If the prettyPhoto code never runs on the site, then it probably should be fine (I don’t believe it can exploited by directly accessing the file as in the case of some other vulnerabilities).

However, we’d still recommend updating your item to use the latest version of Visual Composer as soon as possible.

Cheers,
Stephen

Instead of making authors updating items for risk that is not real, better go and fix the Author Dashboard that is broken for at least a week: http://themeforest.net/forums/thread/author-dashboard-is-broken/180905

I just received an email saying:
“We’ve identified that you are using prettyPhoto in the following items for sale via ThemeForest or CodeCanyon: …”

I do not use PP at all. I guess I have to update the bundled Visual Composer?

StephenCronin said

Hey Bluxart,

If the prettyPhoto code never runs on the site, then it probably should be fine (I don’t believe it can exploited by directly accessing the file as in the case of some other vulnerabilities).

However, we’d still recommend updating your item to use the latest version of Visual Composer as soon as possible.

Cheers,
Stephen

Thanks Stephan, only prettyPhoto code run with WooCommerce. But in this case is WooCommerce to update the plugin right? The themes not installed by default woocommerce, but the user need download and install WooCommerce Plugin.

||+1288581|Dream-Theme said-|| @StephenCronin you do realize what that "vulnerability" does?

For your information: https://packetstormsecurity.com/files/124096/WordPress-Pretty-Photo-Cross-Site-Scripting.html

Strictly speaking this is not a vulnerability. There’s zero server-side risk.

What’s the point of making people updating their stuff?

Yep, we understand what the vulnerability does. It’s not persistent, but it is possible to inject JavaScript into the client side via the URL (I have replicated this myself using a ThemeForest theme that uses prettyPhoto).

If you can trick someone into visiting a link with malicious JavaScript appended (which is not that hard to do), you can execute your JavaScript in their browser, which is a vulnerability.

The article you linked to rates the risk as moderate, which is roughly in line with our analysis. You’ll note that we did not immediately disable items as we have done in previous cases when the risk has been higher.

Ultimately we want buyers to be able trust items they buy from ThemeForest authors, so we treat security risks seriously.

||+1288585|Dream-Theme said-|| Instead of making authors updating items for risk that is not real, better go and fix the Author Dashboard that is broken for at least a week: http://themeforest.net/forums/thread/author-dashboard-is-broken/180905

Hey Dream-Theme,

That would be looked after by a totally different team from mine, but I’ll pass that along and make sure the appropriate team is aware of the issue.

Cheers,
Stephen

fuelthemes said

I just received an email saying:
“We’ve identified that you are using prettyPhoto in the following items for sale via ThemeForest or CodeCanyon: …”

I do not use PP at all. I guess I have to update the bundled Visual Composer?

Hi FuelThemes,

Yep, if prettyPhoto is only in your zip file through Visual Composer, then all you need to do is update to use the current version of Visual Composer (4.5.3).

StephenCronin said

If you can trick someone into visiting a link with malicious JavaScript appended (which is not that hard to do), you can execute your JavaScript in their browser, which is a vulnerability.

If you can trick someone into visiting a link with malicious JavaScript appended, you can simply trick someone into visiting malicious site with nice URL. No XSS needed

StephenCronin said

||+1288585|Dream-Theme said-|| Instead of making authors updating items for risk that is not real, better go and fix the Author Dashboard that is broken for at least a week: http://themeforest.net/forums/thread/author-dashboard-is-broken/180905

Hey Dream-Theme,

That would be looked after by a totally different team from mine, but I’ll pass that along and make sure the appropriate team is aware of the issue.

Cheers,
Stephen

Would be great. Because at this moment I’m not sure why I have to let Envato have part of my earnings for providing me broken tools

Bluxart said

Thanks Stephan, only prettyPhoto code run with WooCommerce. But in this case is WooCommerce to update the plugin right? The themes not installed by default woocommerce, but the user need download and install WooCommerce Plugin.

Where is the prettyPhoto code coming from? Is it coming from WooCommerce itself? Then they need to update it (and WooThemes have already updated all their themes so presumably know about fixing it for WooCommerce).

If it’s coming from Visual Composer, then best to update to use the latest version of that to make sure.

If you got the email from us, that means we did detect the prettyPhoto library in your zip file somewhere (presumably in Visual Composer).