Vulnerability in LayerSlider 3.5, update it!

As I see issue is now fixed. I post this on forum, so people like me would know what to do. As author doesn’t care much about notifying buyers that issue existed and now fixed. In their changelog for 3.6 I see “Some minor bug fixes” :slight_smile:


Yesterday, one of my clients reported that LayerSlider of his homepage was “deleting” itself and he had to recreate it. After some digging in code, I found that anyone can remove/import/duplicate these layersliders just by sending simple request without admin access, and probably someone knew this too and was just “playing”.

As my coding knowledge tells me, this vulnerability can’t harm anything else except layersliders. Mistake is completely childish, and it’s very easy to find it, probably team of developers isn’t experienced in PHP much.

3.5 version is selling on codecanyon for a few months, as I can tell, and even many themes from Themeforest have it bundled.

LOL! it’s bundled with top selling Themeforest theme.

Yep, it would be great if envato had some kind of notification system for such cases.

thanks, i am actually using it in one of my projects.

Hello,

We are the authors of this plugin.

Yes, this was a security issue, but we already fixed it quickly with version 3.6 as soon as we discovered this problem. We are sorry about this and of course it was our responsibility, but there are several reasons why we didn’t mention this issue. As you may know, most of our customers are out of reach since Envato doesn’t offer any way to alert all of our customers. So the most important reason why we didn’t want to make this issue public, because some of our customers are still using v3.5 and we actually could make it worst by letting “hackers” to get know about this issue. This is the case with this forum thread. You may alter a few LayerSlider WP users, but you also make this issue public and now some bad people can use it to mess with our customers.

We did everything we can to tell our customers how important is updating the plugin. We did write a comment in the comments section of the item, although we didn’t mentioned this issue because of the reasons above. We did make contact with popular theme authors like the Avada guys and they are now ship their themes with LayerSlider WP version 3.6.

We truly believe that this issue is a minor security case. It is only affects the plugin, there is no door for your WP installation. The intruder cannot actually delete your sliders, it is only flagged as removed, but that slider is still in your database unmodified and you can recover it at any time.

Also, it worth to mention that this issue is more like a WordPress issue rather than a plugin issue. We did assume that WP won’t let request through by visitors without permission to open the plugin page. If WP would check the permissions properly, it could never happen. And you have to understand that there is a lot of automatic subroutines in a framework which aren’t documented, so we never get a chance to know about this can cause problems.

Now the problem is that everyone who wants to make bad jokes and reads this topic will start digging about this issue and they can mess with people who aren’t updated the plugin. You should know that we can’t do anything to tell everyone about how important is updating the plugin. Really few of them will read this thread and we truly thinks this wasn’t a smart step because you basically told every “hacker” how they can use a security hole which won’t end well.

Again, this issue is already fixed and we didn’t mentioned not to cover our mistake, but the safety of our customers. We truly sorry for any inconveniences.

Not allowing authors to contact the customers about issues like this is a major flaw in the envato system. Even if it is just a text box with a send button that emails all buyers, it would be better than nothing!

…or even it is just a button the author can click that emails all buyers and says “CRITICAL UPDATE” in the subject line. Envato can still “control” not allowing the authors know who bought the items, but also protect the buyers from security flaws like this. What do you think?

kreatura said

Also, it worth to mention that this issue is more like a WordPress issue rather than a plugin issue. We did assume that WP won’t let request through by visitors without permission to open the plugin page. If WP would check the permissions properly, it could never happen. And you have to understand that there is a lot of automatic subroutines in a framework which aren’t documented, so we never get a chance to know about this can cause problems.

That’s not true. WordPress does perform security checks on plugin pages, but only if you have registered those pages using the WordPress API (add_submenu_page() in this case).

If your code that processes add/edit/delete requests in your plugin are outside of your function that renders the admin page, you must perform your own security checks.

As your plugin is extremely popular, you should also absolutely have an auto update notification integrated. These are not difficult to build and there are quite a few resources (I wrote one of them) that show you how to do it.

Having an option to notify all buyers will never happen as it makes it far to easy to spam buyers with unsolicited emails.

mordauk said

Having an option to notify all buyers will never happen as it makes it far to easy to spam buyers with unsolicited emails.

I disagree. As a buyer I want to be notified of updates. Why not have a checkbox on the authors update page that says “notify buyers of this CRITICAL update” or something like that…

iapcsolutions said
mordauk said

Having an option to notify all buyers will never happen as it makes it far to easy to spam buyers with unsolicited emails.

I disagree. As a buyer I want to be notified of updates. Why not have a checkbox on the authors update page that says “notify buyers of this CRITICAL update” or something like that…

Yes I would as well but Envato will not implement it because there are far too many sellers that would abuse the feature and use it to send out advertisements of their other plugins to buyers.

mordauk said
iapcsolutions said
mordauk said

Having an option to notify all buyers will never happen as it makes it far to easy to spam buyers with unsolicited emails.

I disagree. As a buyer I want to be notified of updates. Why not have a checkbox on the authors update page that says “notify buyers of this CRITICAL update” or something like that…

Yes I would as well but Envato will not implement it because there are far too many sellers that would abuse the feature and use it to send out advertisements of their other plugins to buyers.

Any why would authors abuse this feature for advertisment? Because envato doesn’t take any steps to help authors to promote their items enough. (eg. advanced search,…). But yes, I agree with you - even if authors gets enough promotion, there would be some who would still abuse it, but still would it be possible to have some special actions. Since updates are also getting reviewed, authors could check this “Notify Customers about this urgent update” checkbox and reviewers can double-check it…for example. :slight_smile:

Envato WordPress Toolkit

== Description ==

This toolkit plugin establishes an Envato Marketplace API connection to take advantage of the new wp-list-themes & wp-download methods created specifically for this plugin. These API methods grants access to information about your purchased themes and create temporary download URL’s for installing and upgrading those themes. Basically, users that have purchased themes from ThemeForest.net can now install and upgrade any theme that takes advantage of these new methods.

For end users, all that’s required to get started is an Envato Marketplace username & API key, and to have purchased one of the many WordPress themes found on ThemeForest.net.

That only works for Theme Forest themes, not Code Canyon plugins.

mordauk said

Yes I would as well but Envato will not implement it because there are far too many sellers that would abuse the feature and use it to send out advertisements of their other plugins to buyers.

You must not have understood my suggestion because there was no way they could advertise other plugins. It would just notify buyers of an update to the one they bought. Also, if the author is abusing by sending out too many updates, it can be caught by the reviewer because it is being done on the update page… everyone wins!! :slight_smile: