A security issue was announced today that affects many WordPress plugins and themes and which requires your attention.
Plugin and Theme Authors
Your item will be affected if you use any of the following:
add_query_arg()
remove_query_arg()
TGM Plugin Activation class
There is a small chance that your item will be affected if you are using the Redux or OptionTree frameworks. We are working to confirm this.
What you should do
Core Functions
If you use the add_query_arg() and/or remove_query_arg() functions in your plugin or theme, you need to make sure that you are escaping these functions properly, as outlined on the Make WordPress site.
TGM Plugin Activation class
If you use the TGM Plugin Activation class, then you need to update your item to include version 2.4.2. Previous advice was to use 2.4.1, which addressed the security concerns, but which had a problem with the bulk installer. This has been fixed in 2.4.2.
OptionTree
If you use OptionTree, then although this does use add_query_arg and remove_query_arg, we are confident that none of the instances can be exploited. There will be an update that escapes these functions in future that you should include in your item, but you should not delay updating your items waiting for this. UPDATE: Version 2.5.4 of this plugin has been released and is now available from the WordPress plugin directory. This version escapes all instances of the functions and also fixes the term splitting issue for WordPress 4.2 (due to released very soon). Please update your items to use this version.
Redux
If you use Redux, it also uses these functions. Most are escaped appropriately, but we have a couple of questions and have reached out the author. We will be providing you with more information very soon. UPDATE: There was a minor issue with Redux, which has been fixed in version 3.5.4, now available from the WordPress plugin directory. Please update your items to use this version.
Plugins Included With Themes
Theme Authors: If you have included any affected third-party plugins, we will be emailing you in the coming days so that you can update your theme. In the meantime, you may want to periodically check the plugins you’ve included and see whether these have been updated.
Note: When submitting an update that addresses these issues, please include a note mentioning that this is related to the XSS vulnerability. This will allow us to prioritise the review of the updates.
Buyers
We are currently evaluating all WordPress items sold through Envato Market. Once we have done this, we will notify you if you have purchased an item that is affected. We do not have an exact timeframe for this yet, but we are treating this as a priority and will be keeping you up to date via this forum thread.
In the meantime, the best advice is to periodically check for updates to the theme and plugins you are using and apply any updates as soon as possible.
Is there a way we can improve the review process for security updates Stephen. A separate queue for example? Just some way of getting the fixed item up quicker? Maybe a checkbox on upload that states ‘security update’ that gets to the top of the list or a different queue.
I’ve just tried the new TGM class and it simply doesn’t work. I change the class completely to the latest version, i delete the plugins from WordPress, and when i hit “Install Plugins” it doesn’t work. Are you sure that this new version works?
I have a critical update for another theme in the queue, and i cannot get it approved because of this security issue. Meanwhile, our users have a broken site while we try to figure out how to make the new TGM class work.
Regards, Ruben.
Later edit I see that it work now… It works because of a patch which was applied one hour ago (actually it’s a reversion of the security patch which is clearly broken and doesn’t work) but you guys rejected our theme this morning, when the TGM class was totally broken. Nice
Is there a way we can improve the review process for security updates Stephen. A separate queue for example? Just some way of getting the fixed item up quicker? Maybe a checkbox on upload that states ‘security update’ that gets to the top of the list or a different queue.
Maybe one day! But for now you just need it leave a note when you upload. We should be able to find that easily enough and these updates have priority.
Later edit I see that it work now… It works because of a patch which was applied one hour ago (actually it’s a reversion of the security patch which is clearly broken and doesn’t work) but you guys rejected our theme this morning, when the TGM class was totally broken. Nice
Yes, I had to rewrite this post several times today the status of TGM PA changed. There was an update this morning where it was totally broken. As it stands right now, it is patched for the security issue, but there appears to be a long standing bug with the bulk installs.
Is there a way we can improve the review process for security updates Stephen. A separate queue for example? Just some way of getting the fixed item up quicker? Maybe a checkbox on upload that states ‘security update’ that gets to the top of the list or a different queue.
Maybe one day! But for now you just need it leave a note when you upload. We should be able to find that easily enough and these updates have priority.
Yes we did this / do this when uploading. OK well I guess they are busy with updates right now, no problem. Thanks for the reply.
Later edit I see that it work now… It works because of a patch which was applied one hour ago (actually it’s a reversion of the security patch which is clearly broken and doesn’t work) but you guys rejected our theme this morning, when the TGM class was totally broken. Nice
Yes, I had to rewrite this post several times today the status of TGM PA changed. There was an update this morning where it was totally broken. As it stands right now, it is patched for the security issue, but there appears to be a long standing bug with the bulk installs.
We’ll keep you posted on this.
But add_query_arg is still being used in the class. So the class is ok to be used now in this form? Because someone rejected our theme and asked us to us the new class which was broken at the time of speaking and at the time of our update
But add_query_arg is still being used in the class. So the class is ok to be used now in this form? Because someone rejected our theme and asked us to us the new class which was broken at the time of speaking and at the time of our update
Yes, if you download the class now, then it should be secure. It still uses add_query_arg but escapes it where necessary.
Apologies for the confusion this morning - we saw that an update had been made to address the security concern, so started to advise people to update - but we obviously weren’t aware it was broken!
Right now, it seems the develop branch is probably the best option. It now has the 2.4.1 hotfix changes (including the security issue) and it also fixes the bulk installation bug. Of course it is the develop branch so may have further changes which could introduce bugs etc. Hopefully they will release a full version (ie master branch) soon, but I am not sure of their plans. I’ll try to find out.
Further information regarding Redux has been added to the original post, as follows:
UPDATE: There was a minor issue with Redux, which has been fixed in version 3.5.4, now available from the WordPress plugin directory. Please update your items to use this version.