Security Vulnerability Affecting WordPress Plugins and Themes


#1

A security issue was announced today that affects many WordPress plugins and themes and which requires your attention.

Plugin and Theme Authors

Your item will be affected if you use any of the following:

  • add_query_arg()
  • remove_query_arg()
  • TGM Plugin Activation class

There is a small chance that your item will be affected if you are using the Redux or OptionTree frameworks. We are working to confirm this.

What you should do

  • Core Functions
    If you use the add_query_arg() and/or remove_query_arg() functions in your plugin or theme, you need to make sure that you are escaping these functions properly, as outlined on the Make WordPress site.
  • TGM Plugin Activation class
    If you use the TGM Plugin Activation class, then you need to update your item to include version 2.4.2. Previous advice was to use 2.4.1, which addressed the security concerns, but which had a problem with the bulk installer. This has been fixed in 2.4.2.
  • OptionTree
    If you use OptionTree, then although this does use add_query_arg and remove_query_arg, we are confident that none of the instances can be exploited. There will be an update that escapes these functions in future that you should include in your item, but you should not delay updating your items waiting for this.
    UPDATE: Version 2.5.4 of this plugin has been released and is now available from the WordPress plugin directory. This version escapes all instances of the functions and also fixes the term splitting issue for WordPress 4.2 (due to released very soon). Please update your items to use this version.
  • Redux
    If you use Redux, it also uses these functions. Most are escaped appropriately, but we have a couple of questions and have reached out the author. We will be providing you with more information very soon.
    UPDATE: There was a minor issue with Redux, which has been fixed in version 3.5.4, now available from the WordPress plugin directory. Please update your items to use this version.
  • Plugins Included With Themes
    Theme Authors: If you have included any affected third-party plugins, we will be emailing you in the coming days so that you can update your theme. In the meantime, you may want to periodically check the plugins you’ve included and see whether these have been updated.

Note: When submitting an update that addresses these issues, please include a note mentioning that this is related to the XSS vulnerability. This will allow us to prioritise the review of the updates.

Buyers

We are currently evaluating all WordPress items sold through Envato Market. Once we have done this, we will notify you if you have purchased an item that is affected. We do not have an exact timeframe for this yet, but we are treating this as a priority and will be keeping you up to date via this forum thread.

In the meantime, the best advice is to periodically check for updates to the theme and plugins you are using and apply any updates as soon as possible.

For more information see

  • https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
  • https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/
  • http://wptavern.com/xss-vulnerability-affects-more-than-a-dozen-popular-wordpress-plugins
  • https://poststatus.com/coordinated-plugin-updates-to-address-security-vulnerability-in-many-popular-wordpress-plugins/

Note

This has been cross-posted on both the CodeCanyon and ThemeForest forums and updates will be given in both places. Here is the CodeCanyon entry.


unexpected T_PAAMAYIM_NEKUDOTAYIM class-tgm-plugin-activation.php on line 1109
#2

Is there a way we can improve the review process for security updates Stephen. A separate queue for example? Just some way of getting the fixed item up quicker? Maybe a checkbox on upload that states ‘security update’ that gets to the top of the list or a different queue.


#3

Hi Stephen

I’ve just tried the new TGM class and it simply doesn’t work. I change the class completely to the latest version, i delete the plugins from WordPress, and when i hit “Install Plugins” it doesn’t work. Are you sure that this new version works?

I have a critical update for another theme in the queue, and i cannot get it approved because of this security issue. Meanwhile, our users have a broken site while we try to figure out how to make the new TGM class work.

Regards, Ruben.

Later edit I see that it work now… It works because of a patch which was applied one hour ago (actually it’s a reversion of the security patch which is clearly broken and doesn’t work) but you guys rejected our theme this morning, when the TGM class was totally broken. Nice :frowning:


#4
jonathan01 said

Is there a way we can improve the review process for security updates Stephen. A separate queue for example? Just some way of getting the fixed item up quicker? Maybe a checkbox on upload that states ‘security update’ that gets to the top of the list or a different queue.

Maybe one day! But for now you just need it leave a note when you upload. We should be able to find that easily enough and these updates have priority.


#5
KrownThemes said

Later edit I see that it work now… It works because of a patch which was applied one hour ago (actually it’s a reversion of the security patch which is clearly broken and doesn’t work) but you guys rejected our theme this morning, when the TGM class was totally broken. Nice :frowning:

Yes, I had to rewrite this post several times today the status of TGM PA changed. There was an update this morning where it was totally broken. As it stands right now, it is patched for the security issue, but there appears to be a long standing bug with the bulk installs.

We’ll keep you posted on this.


#6
StephenCronin said
jonathan01 said

Is there a way we can improve the review process for security updates Stephen. A separate queue for example? Just some way of getting the fixed item up quicker? Maybe a checkbox on upload that states ‘security update’ that gets to the top of the list or a different queue.

Maybe one day! But for now you just need it leave a note when you upload. We should be able to find that easily enough and these updates have priority.

Yes we did this / do this when uploading. OK well I guess they are busy with updates right now, no problem. Thanks for the reply.


#7
StephenCronin said
KrownThemes said

Later edit I see that it work now… It works because of a patch which was applied one hour ago (actually it’s a reversion of the security patch which is clearly broken and doesn’t work) but you guys rejected our theme this morning, when the TGM class was totally broken. Nice :frowning:

Yes, I had to rewrite this post several times today the status of TGM PA changed. There was an update this morning where it was totally broken. As it stands right now, it is patched for the security issue, but there appears to be a long standing bug with the bulk installs.

We’ll keep you posted on this.

But add_query_arg is still being used in the class. So the class is ok to be used now in this form? Because someone rejected our theme and asked us to us the new class which was broken at the time of speaking and at the time of our update :slight_smile:


#8
KrownThemes said

But add_query_arg is still being used in the class. So the class is ok to be used now in this form? Because someone rejected our theme and asked us to us the new class which was broken at the time of speaking and at the time of our update :slight_smile:

Yes, if you download the class now, then it should be secure. It still uses add_query_arg but escapes it where necessary.

Apologies for the confusion this morning - we saw that an update had been made to address the security concern, so started to advise people to update - but we obviously weren’t aware it was broken!


#9

Thanks for share.


#10

Here is my solution for a quick fix: http://smartik.ws/2015/04/safe-add_query_var-and-remove_query_var/

Instead of adding everywhere esc_url, I better replace the functions names. So this is fixed with a simple global search and replace. :wink:


#11

Well, that’s exactly why I started the following thread 2 years ago: http://themeforest.net/forums/thread/lifetime-free-theme-updates/104160


#12

Am I missing something here? https://github.com/thomasgriffin/TGM-Plugin-Activation there haven’t been any updates for 17 days. The Changelog and Read me are 8 months old?

Is there another version floating around somewhere that has the fixes in?


#13

@meanthemes

It’s in the hotfix branch.
https://github.com/thomasgriffin/TGM-Plugin-Activation/tree/hotfix/2.4.1

:slight_smile:


#14
webcreations907 said

@meanthemes

It’s in the hotfix branch.
https://github.com/thomasgriffin/TGM-Plugin-Activation/tree/hotfix/2.4.1

:slight_smile:

Lovely, so the answer was… yes I was missing something :slight_smile:

Thanks by the way :slight_smile:


#15
webcreations907 said

@meanthemes

It’s in the hotfix branch.
https://github.com/thomasgriffin/TGM-Plugin-Activation/tree/hotfix/2.4.1

:slight_smile:

Right now, it seems the develop branch is probably the best option. It now has the 2.4.1 hotfix changes (including the security issue) and it also fixes the bulk installation bug. Of course it is the develop branch so may have further changes which could introduce bugs etc. Hopefully they will release a full version (ie master branch) soon, but I am not sure of their plans. I’ll try to find out.


#16
themereviewco said

Nicely covered Stephen!

FYI: WordPress Theme Review Team made a big decision today in regards to Theme Options https://make.wordpress.org/themes/2015/04/21/this-weeks-meeting-important-information-regarding-theme-options/ and I just want to cross-reference that since you mentioned Redux and OptionTree.

Thanks Emil,
Thanks for the link. Nice move and something for us to think about! :slight_smile:


#17

Do you have a list of themes known to be at risk?


#18

Come on Stephen, please educate your reviewers about this issue. They rejected our theme again for using the TGM 2.4.1 class :expressionless:


#19

Further information regarding Redux has been added to the original post, as follows:

UPDATE: There was a minor issue with Redux, which has been fixed in version 3.5.4, now available from the WordPress plugin directory. Please update your items to use this version.


#20
awscreative said

Do you have a list of themes known to be at risk?

Not yet, but we are working to get this.