Update Two (9 July)
We have now disabled any items identified as containing prettyPhoto which are not marked as updated.
There seem to be quite a few authors who believe they are not using prettyPhoto in their items. If your item has been disabled with a note linking to this forum post, then we have found prettyPhoto somewhere in your item zip file. Please search for “.fn.prettyPhoto” in your files (using something like grep). Once found, please update it to the latest version (3.1.6) and resubmit your item.
There have been a few cases where we have not correctly marked items as updated, even though the author has updated the item and resubmitted it using the correct wording in the notes. As a result, the items have been disabled. We apologise if this has happened to you. If it has happened to you, please leave a note here (we’ll be monitoring this thread) and we will re-enable your item as quickly as possible.
Thank you everyone!
We emailed all authors with affected items on 25th June 2015, letting them know that that we will begin disabling items on Wed 1st July. This has been delayed until Mon 6th July.
The email had a subject of “Envato Market Security Notice: Disabling items (prettyPhoto)”. If you received this email, you need to read it carefully and follow the actions outlined in it to avoid your items being disabled.
Original PostThere is an XSS security vulnerability in the prettyPhoto jQuery script (versions before 3.1.6). This script is sometimes included in themes, templates and scripts available from a variety of sources, including ThemeForest and CodeCanyon.
This was first reported in July 2014 (in Spanish), but has received wider exposure in the last few days.
ThemeForest and CodeCanyon Authors:
If you use the prettyPhoto script in your items, please check your items and make sure you are using version 3.1.6. If you are using an older version, you should update your item as soon as possible. We’ll be working towards identifying any affected items and disabling those that are not fixed within a certain timeframe (to be announced).
When submitting an update that addresses these issues, please include the phrase “prettyPhoto XSS fix” in the notes. Please be careful to use this exact phrase, as it makes it easier for us to identify these updates. This will allow us to prioritise the review of updates relating to this issue.
Note: ThemeForest authors, if you include Visual Composer in your items, please be aware that this was using an insecure version of prettyPhoto. It has now been updated to use the secure version. Please update your items to use version 4.5.3 of Visual Composer.
As far as we are aware, this vulnerability is not being exploited in a widespread manner, despite being nearly a year old. We believe this affects a relatively small amount of items on ThemeForest and CodeCanyon, but we will be working with authors and asking them to check that their items are secure and to update them if necessary.
- If you have version 3.1.6, then you have a secure version of the file and no further action is necessary.
- If you have an older version, please update your item as soon as the author has provided updated files.
- If you can’t find the file and there is no mention of it in the item’s documentation, then you are unlikely to be using prettyPhoto. We would still advise you to watch for any updates for your items and apply any that become available, as this is general best practice.
You can check for updates on the Downloads page. If you would like to be automatically notified about new updates, please activate “Item update notifications” in your email settings.