A security issue was announced today that affects many WordPress plugins and themes and which requires your attention.
Plugin and Theme Authors
Your item will be affected if you use any of the following:
- TGM Plugin Activation class
There is a small chance that your item will be affected if you are using the Redux or OptionTree frameworks. We are working to confirm this.
What you should do
If you use the add_query_arg() and/or remove_query_arg() functions in your plugin or theme, you need to make sure that you are escaping these functions properly, as outlined on the Make WordPress site.
TGM Plugin Activation class
If you use the TGM Plugin Activation class, then you need to update your item to include version 2.4.2. Previous advice was to use 2.4.1, which addressed the security concerns, but which had a problem with the bulk installer. This has been fixed in 2.4.2.
If you use OptionTree, then although this does use add_query_arg and remove_query_arg, we are confident that none of the instances can be exploited. There will be an update that escapes these functions in future that you should include in your item, but you should not delay updating your items waiting for this.
UPDATE: Version 2.5.4 of this plugin has been released and is now available from the WordPress plugin directory. This version escapes all instances of the functions and also fixes the term splitting issue for WordPress 4.2 (due to released very soon). Please update your items to use this version.
If you use Redux, it also uses these functions. Most are escaped appropriately, but we have a couple of questions and have reached out the author. We will be providing you with more information very soon.
UPDATE: There was a minor issue with Redux, which has been fixed in version 3.5.4, now available from the WordPress plugin directory. Please update your items to use this version.
Plugins Included With Themes
Theme Authors: If you have included any affected third-party plugins, we will be emailing you in the coming days so that you can update your theme. In the meantime, you may want to periodically check the plugins you’ve included and see whether these have been updated.
Note: When submitting an update that addresses these issues, please include a note mentioning that this is related to the XSS vulnerability. This will allow us to prioritise the review of the updates.
We are currently evaluating all WordPress items sold through Envato Market. Once we have done this, we will notify you if you have purchased an item that is affected. We do not have an exact timeframe for this yet, but we are treating this as a priority and will be keeping you up to date via this forum thread.
In the meantime, the best advice is to periodically check for updates to the theme and plugins you are using and apply any updates as soon as possible.
For more information see
This has been cross-posted on both the CodeCanyon and ThemeForest forums and updates will be given in both places. Here is the ThemeForest entry.