Security Vulnerability Affecting prettyPhoto jQuery Script

Envato Announcements
61

All clear now, thanks Stephen!

62

@StephenCronin my theme is listed as theme for update but only prettyPhoto script in theme is from premium bundled plugin. Plugin’s author confirmed that they are using secure prettyPhoto version and they won’t update plugin and I have their latest plugin version in my theme. I already opened support ticket number 244551 about this issue and re-upload theme again with this explanation. Can you please review this issue and confirm that theme doesn’t need prettyPhoto update? Thanks.

63

Hey! I have received a message that my Enfold Theme uses an outdated version of prettyphoto, however the theme hasn’t used any version of prettyPhoto for more than a year now.

What should I do to make sure that the theme does not get disabled on July 1st?

64
rayoflightt said

@StephenCronin my theme is listed as theme for update but only prettyPhoto script in theme is from premium bundled plugin. Plugin’s author confirmed that they are using secure prettyPhoto version and they won’t update plugin and I have their latest plugin version in my theme. I already opened support ticket number 244551 about this issue and re-upload theme again with this explanation. Can you please review this issue and confirm that theme doesn’t need prettyPhoto update? Thanks.

Hi rayoflight,

I’ve answered the ticket, giving you some details. Hope that explains things. If not, just respond to the ticket. Thanks.

Cheers,
Stephen

65
Kriesi said

Hey! I have received a message that my Enfold Theme uses an outdated version of prettyphoto, however the theme hasn’t used any version of prettyPhoto for more than a year now.

What should I do to make sure that the theme does not get disabled on July 1st?

Hey Kreisi,

I’ve checked and prettyPhoto is only in your documentation folder. That’s super unlikely to be exploited (users aren’t going to put the documentation on a live site, although there is a very small chance that they may copy prettyPhoto to use elsewhere).

Can you please update it anyway, just to be 100% safe? Thanks.

Cheers,
Stephen

66
StephenCronin said
Kriesi said

Hey! I have received a message that my Enfold Theme uses an outdated version of prettyphoto, however the theme hasn’t used any version of prettyPhoto for more than a year now.

What should I do to make sure that the theme does not get disabled on July 1st?

Hey Kreisi,

I’ve checked and prettyPhoto is only in your documentation folder. That’s super unlikely to be exploited (users aren’t going to put the documentation on a live site, although there is a very small chance that they may copy prettyPhoto to use elsewhere).

Can you please update it anyway, just to be 100% safe? Thanks.

Cheers,
Stephen

Ah, thanks, didn’t think about the documentation folder at all. Will do :wink:

67

Hi All,

I’m calling it a night here, but will be back in my morning and will try to answer as many questions as I can.

Cheers,
Stephen

68

Hey guys, starting to updating items here, but it was big luck that I’ve checked the mail about this today.
Would be great to put a notice on the marketplace too! (especially if there are items to be disabled soon)

I didn’t see the thread before today either :stuck_out_tongue:

Cheers : smitten:

69

Yeah, just updating my items too :slight_smile:

70

Hi there, We too got an email telling us that KLEO theme needs to be updated but we already updated Visual composer to 4.5.3. We were using some data attributes with the prettyPhoto name but prettyPhoto library is not used. Just re-submitted an update now with those attributes renamed… hopefully that solves it.

Thank you

71

Hi,

I have got a mail about this issue and envato team inform me for update my one of item. But I have not used directly prettyPhoto jQuery script on my theme file. prettyPhoto jQuery script added by WooCoomerce plugin. I have not included WooCommerce plugin on my theme file.

So what should I do now. I have got warning for disable my item by 1st July. Please help me.

Thanks

72

Hi there! Just want to ask … I’ve updated the prettyPhoto (3.1.6) in two my items (17 and 24 June), but I don’t add “prettyPhoto XSS fix” phrase in the notes. In the notes to updates I had written, that I updated prettyPhoto script to v3.1.6 (in the theme files and documentation).

This is acceptable or I’ll need to upload the updates again with “prettyPhoto resubmit” note? P.S. I have not received the second email that I need to update my items.

Thank you! Best regards, Alexey

73

I have also received an email about the problem with prettyPhoto and I’m going to fix it and upload with the note “prettyPhoto XSS fix”. Thanks for share.

74
kimonothemes said

Hey guys, starting to updating items here, but it was big luck that I’ve checked the mail about this today.
Would be great to put a notice on the marketplace too! (especially if there are items to be disabled soon)

I didn’t see the thread before today either :stuck_out_tongue:

Cheers : smitten:

Good idea about a notice in the marketplace tool. I’ll see if I can arrange that. Thanks!

75
SeventhQueen said

Hi there, We too got an email telling us that KLEO theme needs to be updated but we already updated Visual composer to 4.5.3. We were using some data attributes with the prettyPhoto name but prettyPhoto library is not used. Just re-submitted an update now with those attributes renamed… hopefully that solves it.

Thank you

Hey SeventhQueen,

Thanks for resubmitting KLEO - it’s fine now. We do still have the Sweet Date WordPress theme on our list of items not updated (the landing page has been updated, but not the WordPress theme). Can you please take a look at that and update it? Thanks,

Cheers,
Stephen

76
BirdwpThemes said

Hi there! Just want to ask … I’ve updated the prettyPhoto (3.1.6) in two my items (17 and 24 June), but I don’t add “prettyPhoto XSS fix” phrase in the notes. In the notes to updates I had written, that I updated prettyPhoto script to v3.1.6 (in the theme files and documentation).

This is acceptable or I’ll need to upload the updates again with “prettyPhoto resubmit” note? P.S. I have not received the second email that I need to update my items.

Thank you! Best regards, Alexey

Hey Alexey,

We’ve got them both as updated already - that’s why you didn’t get the 2nd email. All good.

Cheers,
Stephen

77
webRedox said

Hi,

I have got a mail about this issue and envato team inform me for update my one of item. But I have not used directly prettyPhoto jQuery script on my theme file. prettyPhoto jQuery script added by WooCoomerce plugin. I have not included WooCommerce plugin on my theme file.

So what should I do now. I have got warning for disable my item by 1st July. Please help me.

Thanks

Hi webRedox,

I assume you are talking about the Dresscode WordPress theme? Actually you are using prettyPhoto in that. It’s in the following location:

dresscodewp\includes\js\jquery.prettyPhoto.js

That’s version 3.1.5. Can you please update this to 3.1.6?

It’s also in WooCommerce plugin bundled in your zip file (as you note), in the following location:

plugins\woocommerce.2.2.11.zip\woocommerce\assets\js\prettyPhoto

There are 2 files here that need to be updated (jquery.prettyPhoto.js and jquery.prettyPhoto.min.js). The best approach is to update WooCommerce to the latest version.

Thanks!

Cheers,
Stephen

78

Hi,

we get this e-mail too yesterday but we do not understand why. The prettyPhoto which you mentioned in mail, was updated to version 3.1.6 on 20th June 15. We re-submitted theme yesterday with ““prettyPhoto XSS fix”” information again and theme has been approved but today in the dashboard we see below information:

“Please check your inbox for an email sent on 25th June with actions you need to take to prevent one or more of your items being disabled.”

Can you explain why you sent us an e-mail and display this information in the dashboard while everything was fixed already?

We appreciate your help. Thanks!

79
StephenCronin said
SeventhQueen said

Hi there, We too got an email telling us that KLEO theme needs to be updated but we already updated Visual composer to 4.5.3. We were using some data attributes with the prettyPhoto name but prettyPhoto library is not used. Just re-submitted an update now with those attributes renamed… hopefully that solves it.

Thank you

Hey SeventhQueen,

Thanks for resubmitting KLEO - it’s fine now. We do still have the Sweet Date WordPress theme on our list of items not updated (the landing page has been updated, but not the WordPress theme). Can you please take a look at that and update it? Thanks,

Cheers,
Stephen

You are a star Stephen, thanks for taking the time to check our items . Sweetdate update is scheduled for today. Have a great day

80
muffingroup said

Hi,

we get this e-mail too yesterday but we do not understand why. The prettyPhoto which you mentioned in mail, was updated to version 3.1.6 on 20th June 15. We re-submitted theme yesterday with ““prettyPhoto XSS fix”” information again and theme has been approved but today in the dashboard we see below information:

“Please check your inbox for an email sent on 25th June with actions you need to take to prevent one or more of your items being disabled.”

Can you explain why you sent us an e-mail and display this information in the dashboard while everything was fixed already?

We appreciate your help. Thanks!

Hi Muffingroup,

I’ve checked your themes and all are down as being updated, so you don’t need to take any further action. The dashboard message is simply there to make sure people read the email - as some people may not notice the email.

Cheers,
Stephen