1,000+ WordPress Themes on Envato Market Potentially Affected by Slider Revolution Security Vulnerability


A couple days ago we wrote about a critical security vulnerability that was found in the popular WordPress Slider Revolution plugin and silently patched by its author. Envato Market has since launched further investigation of the matter, as the product is not only hosted on their marketplace but also packaged with many other products.

The company has identified more than 1,000 themes sold through its marketplace that are potentially affected by this vulnerability. While many of the products have already been patched, some theme authors have not yet acted. In recognition of the severity of this vulnerability and the ease with which it’s exploited, the marketplace is temporarily disabling themes that have not yet been patched:

We are starting to temporarily disable affected themes that haven’t been updated, contacting authors of those themes to get an update through ASAP. This will take a while as there are a lot of themes to manually sort through.

Even with the products getting patched, the next challenge is to get users to update. Many themes do not have an auto-update system included to notify users and WordPress users do not always apply updates as soon as they are available, for fear of breaking something. Envato Market is addressing this by emailing users to inform them of the security vulnerability:

We will be contacting all buyers of affected themes directly via their Envato Market email address asap, to ensure they read and act on this information.

Envato Market published detailed instructions to help users determine if they are affected and update accordingly.

The Danger of Bundling Plugins With Themes

When a security vulnerability potentially affects more than 1,000 products, silent patching is not acceptable. This should have been publicly disclosed by the ThemePunch team at the time it occurred, which might have prevented this vulnerability from being actively exploited in the wild.

At the end of the post, Envato Market highlights what they are doing to ensure that this doesn’t happen again:

We will be releasing guidelines and processes to make sure issues like this get to us faster, and to help authors make sure their buyers are updated and patched as fast as possible.

We are also going to revisit how updates are handled for bundles and themes that include separate plugins.

Unfortunately, “more guidelines and processes” do not address the root of this problem. This vulnerability highlights the danger of allowing theme authors to bundle plugins in their products. Envato Market would have no need to list out 1,000+ potentially affected themes if it discouraged, or even forbade, theme authors from bundling plugins.

Since the vast majority of Envato’s top-selling themes do not follow industry best practices, forbidding them to bundle plugins would most certainly result in a loss of profit. There seems to be little incentive for Envato Market to act decisively on the lesson of this security vulnerability and move toward best practices.

Respected professionals in the WordPress community have been calling on theme authors to keep plugins separate for years. This situation has renewed the debate:

Historically, Envato has been slow to act on theme best practices. Last year’s addition of a GPL licensing option and the updated theme submission requirements were a good start, but authors have found ways to skirt the requirements. Justin Tadlock offers some insight on this practice, following his Themeforest experiment:

Based on what I’ve seen in the forums, many authors are just looking for ways to do what they’ve already been doing but just putting it in a plugin packaged with their theme. Basically, they don’t want anyone to “steal their code” nor do they want to truly make a wonderful user experience, one in which users will keep coming back long after they’ve switched to a new theme. If you package your plugin functionality into a plugin that’s only ever going to be useful with your theme, then you’re _doing_it_wrong(). That’s what I envision, but I hope that’s the sort of thing Envato will take a stand against. Otherwise, you’re just pulling the same ol’ tricks in a different costume.

This experience prompted Tadlock to continue building standalone plugins that theme authors can add support for when building their products. This frees theme authors up to focus on the theme itself and offer better data portability for users via plugins. Adopting a standard for plugin functionality is good for users and creates less work for theme authors. They can continue building more themes, instead of wasting time patching their themes for a slider’s security vulnerability.

WordPress is now used by more than 23% of the world’s websites and will always be a target for hackers looking to exploit vulnerabilities. If Envato Market doesn’t take a stand against theme authors packaging plugins, it will continue to encounter the same security problems that are topping the headlines this week.


37 responses to “1,000+ WordPress Themes on Envato Market Potentially Affected by Slider Revolution Security Vulnerability”

    • Think about the number of themes sold on ThemeForest built with and using Visual Composer. I bet it outclips Slider Revolution at least 3 fold. From what I gathered, that plugin is what provides drag and drop page building to themes. So instead of building the functionality into the theme, it’s cheaper and faster to just buy Visual Composer and bundle it.

    • Justin

      A thousand themes which might feature this slider inherently implies that the market is demanding it from the developers. And while the number seems significant, put into the perspective of the tens of milions of websites built on wordpress, it is still but a drop in the bucket.

      You already knew, before you ever wrote your comment, that most themes have more then one slider script in them, and the goal was to give the user choice, rather then binding them to just one option.

      • A thousand themes which might feature this slider inherently implies that the market is demanding it from the developers.

        I’m not arguing that the market is demanding otherwise.

        You already knew, before you ever wrote your comment, that most themes have more then one slider script in them, and the goal was to give the user choice, rather then binding them to just one option.

        No, I didn’t know that most themes [on ThemeForest] have more than one slider script in them.

  1. How does Envato handle updates for the plugins they sell? Do they require users to download and manually install them or do they have an automatic update system in place like most commercial plugins not sold on ThemeForest do? If it’s a manual process that makes this an even bigger disaster.

  2. Whilst 1,000+ themes are listed on ThemeForest as using Revolution Slider, I’ve done a trawl through a sample of themes and the vulnerability doesn’t affect anywhere near as many as on the Evanto list (they say in fact in their blog that their list is just a search of every theme using Rev Slider, regardless of the version and whether it’s vulnerable to the exploit).

    Nevertheless, it does raise a lot of debate and you’ve just got to look at some of these themes that come with five different choices of slider module installed, etc, and alarm bells start ringing!

    Worth saying that these themes that use Rev Slider will normally prompt the user to install the plugin after the new WordPress theme is setup, with the plugin zip file stored ready in the theme folder ready to be installed and activated by the user. Therefore the slider is a standalone plugin and does give the user some choice, so they can just delete it and choose something else (though I suppose it’s hit and miss how nice another slider plays with the theme, esp. some of the more creative themes that build the home page design completely around the slider panel!).

    (Many other themes include a slider panel directly coded into the theme files, so users might be stuck with that).

    As the article says, the problem seems to be that these premium themes are using a premium slider, and the plugin doesn’t have access to an auto-upgrade facility, so users could well be using a very old version of the plugin and not be aware it’s old.

    But if the themes supported a slider that was well supported on the WordPress repository, perhaps that would be a better solution?

    Also I know LayerSlider is used by a lot of themes on ThemeForest (probably more so than Rev Slider) – am I right in thinking this does have access to an auto-update facility? (I haven’t looked into this properly so I might be wrong!).

  3. I’ve never understood, agreed with this bundling of premium plugins in themes for many reasons.

    Themes are themes, plugins are plugins, if you mix the two in this manner inside this eco system, as per these 1000 themes, then this is what will eventually happen unfortunately. Of course if things were in place to offer auto updates to plugins to those who didn’t actually buy the plugin this wouldn’t be an issue.

    Envato set out the rules, they have ultimate control on what is accepted for sale. Maybe this policy needs heavy review, but then I feel if they do not allow this bundling, many buyers will not like the fact that they have to purchase a plugin, and many authors will feel that their ‘edge’ on sales of saying $400 of plugins are ‘included’ will cause issues. Educating both authors and buyers would be needed for sure, to make all parties understand that it’s simply not the way to go. Offer support for a plugin for sure, just don’t ‘bundle’. Envato may however see this as a negative to the bottom line and cause buyers to complain about what they get for their $45.

    This now proves that this practice isn’t good for anyone and I am sure they will attempt to make changes, exactly what and when will be a matter of time I am sure. Having email notifications when an item is updated is OK but they have that switched off by default I believe – never understood why no one would want notification so it shouldn’t even be an option in my opinion.

    I do commend Envato on their swift efforts in attempting to reach out to buyers, theme authors etc. to get the issues fixed but feel it will be a hard hill to climb. I worry that potential buyers will again see this as a reason not to buy a theme from ThemeForest.

    We came under a little pressure when we decided to not include plugins (bundle), and more so when we created our own plugins for free that anyone can use and we ship from our own site. We did this so we had full control over development and updates. Also we contemplated offering via the WP.org plugin repository but that would mean we would have to supply support, on another system, that would demand human resources we can’t really afford to offer. It was a decision I contemplated for some time and ultimately did what I thought was best.

    I will say that we also do not have automatic updates for our plugins / themes and rely on our support forums, social media, email list and envato notifications and that is not good, we realize this. However, we are looking at a new system that will notify users of our themes of updates automatically and hope to have updates to our existing themes that will add this function here shortly so that we can better serve our buyers.

    Unfortunately I feel that, with 1,000 themes there will be issues for buyers as there may be an amount of theme abandonment – hence no updates to the theme and Envato will need to deal with that somehow.

    • Anyone can use the slider on any theme, and it’s safe to use the latest one just like any software that is maintained. The problem arises when people bundle a premium plugin with a theme in this manner where essentially buyers don’t have a license to enable them to update and get notification of updates.

  4. I rarely, rarely take the time to comment in wp blogs. And this article is a perfect example why, disingenuous and self serving from start to finish, and with support from the usual wordpress.com proxies.

    This article is so sensationalist in its tone and structure, that it actually makes me ill. As if this plugin is the only item ever to have come out of the wordpress ecosphere that has a fault! The wordpress core is replete with hacks over its history. Timthumb, once a darling of wordpress, the same thing. PHP, MySQL, all have needed patches and sometimes had critical vulnerabilities.

    The cherry picking of quotes from Envato without context reminds me of grade school writing. I had forgotten grade school. Thank you not.

    Your are all quite late to the party but boy are you each enjoying your moment of glory to stand on the pulpit and beat down the poor plugin authors, who do outstanding work by the way. They patched the vulnerability immediately after it being identified, and they reached out to every author whom they knew employed it in their theme. Responsible authors had the update included in their theme not long thereafter. I know of the trail of abandoned products some of you have in your background (I have on my desktop somewhere one of Sarah’s abandoned plugins, i think to do with gmaps if my memory serves me correctly) and i find this very much a situation of the cat calling the kettle black.

    One cannot force a site owner to update. Much of the blame for this falls onto designers who love to take a customer’s money to build a site, and then leave them high and dry after completion – how many of you reading or commenting fit into that category?

    This whole question of plugins bundled into themes is also I believe a “red herring”. To a coder such as I and my team peers, a plugin is just another script, bundled in a potentially convenient way. Most often its better for the theme to have the script purely integrated. But buyers of themes purchase the same way they buy houses – they don’t want the no-name brand kitchen cabinets, but instead the Thomasville, Kraftmaid or something else with brand recognition. They perceive added value to premium plugin integration, and one either provides that added value, or the sales go elsewhere.

    And this is part of my reasoning for finding this article so disingenuous, as certainly the great Sarah Gooding, with all her vast wealth of knowledge building themes (?), websites (?) and understanding what the majority of designers and DIY users desire, had to have known why premium plugins appear in themes, unless of course…… well its the “of course” wherein lies the rub is it not?

    But then what do I know. Our sole themeforest product only has 17K+ sales, and our private designer products yet much more. Hardly enough to know anything at all about the subject…… we really should spend more time pontificating by way of blogs, and less time coding, so we can learn what comprises a good wp theme!

    I saw the quote by pippen. Sorry, we just don’t agree. And we are theme builders. We outrank plugin authors. So when we publish our tweet (we have much higher sales and user rating) calling for more plugins to be put in themes will you provide equal exposure in your article to our tweet so as to provide some balance to your post? LOL. I don’t think so as it won’t serve your purposes will it…..

    I remember when I was doing my first math degree. The very first course is calculus 101 (of course!), and the prof, wanting to put the fear of god into us started his lecture by telling us to look to the student to our left, and then to the student to our right, and if he were successful, both would have been weeded out by the end of the year. You all remind me of the student to my left and right. And why we ignore the wp “experts” and just go about the business of building themes and creating happy outcomes for our customer base(s).

    PS Rev Slider Team – thank you for a great product with a superb record of ongoing support.

    • Yes, I mostly agree with you here.

      Community response has been warranted for the fact that there was a security issue (that was patched 6 MONTH AGO).

      But this entire outrage seems to be more about disliking authors making themes that have hundreds of options rather than authors including a feature that their buyers are actually asking for (Slider Rev).

      The bullying of Envato by many in the WordPress Community isn’t about the Slider Revolution plugin, it’s a long time festering dislike for themes with too many options and years of authors developing themes that don’t adhere to WordPress standards.

      So if you’re going to bash on a company and the authors on their platform, bash them for the reason that you’re actually upset about. Nagging on about this plugin’s long fixed security issue is hypocritical to say the least.

    • James, great post and one actually worth reading. I think what you have here are a bunch of people that are jealous of the popularity of some of the authors on ThemeForest whether they are theme devs or plugin devs or even just a common theme consumer (non-developer).

      One guy mentioned that themes won’t get updated and themeforest will lose customers or something like that. Look at the numbers: a theme that has 10k+ sales at $55+ each … yeah their just going to walk away from supporting their theme because they have to update one of the sliders they bundled. James, those 17,600+ people that bought your theme (which has 7 slider options) and rated you almost 5 stars (4.74 average based on 2587 ratings) must just not know what they are talking about, right? lol BTW James, your theme has been on my radar for quite some time. Can’t wait to try it out one day soon! :)

      As an owner of more than 100+ products on Envato, the developers I choose to purchase from are awesome at supporting their products. Revolution slider (ThemePunch) is one of the better known and well-built sliders there is. With more than 30k purchases and a 4.78 average rating based on 2979 ratings, tell me it’s a crappy product. Do you think that I’m going to stop using Themeforest or even Revolution Slider because of this? Oh holy cow that is comical.

  5. Hi All,

    Note, that the list contains *all* themes that mention the affected plugins, even themes that were released yesterday and have the latest version of the plugin.

    We’re being conservative due to the seriousness of this issue. We can’t be sure that the theme developer isn’t using a version of the plugin they downloaded long ago, so we’re including everything.

    From what I’ve seen, quite a few of the themes on the list have either been fixed long ago or never had the problem. Others are affected. We’ve also started seeing quite a few updates coming through from theme authors to address this.

    Also, note the following that I’ve cut and pasted from our forums:

    The list contains all themes that reference either Revolution Slider or Showbiz Pro in their item description. We’ve taken a conservative approach due to the seriousness and urgency of the situation.

    We’ll continue to update the list as we receive new information — i.e., confirmation themes do or don’t need to be there — from our developers. While we’ve made every effort to identify affected themes, if you’re an author of an affected theme not in the list please email me here.

    The number one priority right now is that all affected buyers are aware of the situation and take necessary steps to protect themselves. Thanks for your patience and understanding.

  6. The mass prevalence on ThemeForest of bundling plugins into themes, a practice we certainly didn’t want to adopt, was one of the reasons we decided not to release our most recent theme on TF. How are you supposed to compete with products that throw caution and best practices to the wind, bundling in hundreds of dollars’ worth of other products for which the customer has no real license?

    These products lead buyers to believe that a $45 theme that *doesn’t* bundle in a multitude of other products is over-priced or a rip-off, which is just ridiculous.

    I would love to see Envato go much deeper in their response to this, ruling out this practice completely. Would it hurt their bottom line? Perhaps, but having this kind of critical security failure that exposes thousands of their customers isn’t exactly going to help the bottom line either. And if theme authors start advertising *support* for plugins instead of bundling the plugins themselves in, that ultimately benefits the plugin authors (and Envato) who should see more sales as a result.

  7. Another problem of this whole episode that not an awful lot of people tend to see is Child Themes or should I say the lack thereof?

    Many of the people purchasing WP themes on Themeforest don’t know the how, what, why on Child Themes. You think they make one after buying any of the list of 1K+?

    No, they don’t and because they don’t want to lose their site, they cannot update their theme.

    It is therefore irrelevant of the author of said theme has or has not updated it to patch the security of Revolution Slider. As long as the user is not made aware of this issue, these remains a gaping, security hole!

    Every week I see websites with crappy Themeforest themes installed and maybe 95% of those does not have a child theme setup.

    How is Envato going to contact/protect those users?

    I have said it a few times already and I say it again: Envato is ultimately responsible for this security disaster and the only just thing they can do at this point and per immediate is to forbid themes bundling plugins.

    • I think it’s a bit more nuanced then “it’s all Envato’s fault”. While some responsibility lies with Envato for allowing such an environment where this issue can occur, I feel the majority of the responsibility lies with the theme developers who should know about the risks of using third-party code in their product that they sell and are supposed to support. If you include third-party code/functionality in your product that you sell, you better have a way to support it. Finally website owners have a responsibility to keep up on the products and services they use on their WordPress sites – you just can’t throw it up on the web and ignore it. If they had a developer help them set the site up, it behooves the developer to provide a list of what themes and plugins are being used and to educate the site owners on how to ensure that they keep up-to-date.

      To conclude:
      1) Envato needs to encourage a better theme environment (which they are starting the process of doing) to avoid these types of issues.
      2) Theme developers need to make sure that if they include third-party code and functionality that they have a way of supporting it
      3) Buyers of themes need to stay up to date with what they’re actually using on their site. Ignorance is dangerous.

  8. Hi,

    I shouldn’t laugh but am quite hardly. I have avoided WordPress and it’s followers of wannabe script kiddies for a long time. Though for sure there are some great DEV’s for WP.

    For years it has been probably the most simple and well known script to have multiple holes and annoyances. Buying themes/plugin’s from young guys/kids or even being given them without knowing the coding language yourself is a risky business. I have found themes in the past where the hacker was so lame they simply base64()’d their malicious code, and Joe Public wouldn’t have a clue. So after minimal issues with a mini blog I use for news on a larger site (WP3) I decided to start beta testing v4.. and have been for a couple of weeks now having much fun defending the script and files.. If not for email alerts telling me files had been accessed in the second beta the test site would of been toast.

    I’m quite happy now running 4.1-alpha-20140905 but still getting attacked by idiots trying to brute force the fake admin page, for days now… there are some helpful security plugin’s but none of them do everything. No offence but WP has “hack me for fun” written all over it. So many flaws that only a hacker mind would see. Either way.. check your code and don’t buy from random’s people.

    I’m back to carry on work at my test site and see what they can come up with next.

    I may be sticking around the WP community as I have surprised myself with what can actually be done with it, you would never guess it is a blog now. Arcade plugin incoming soon :)


  9. You shouldn’t stop theme developers from bundling or developing around their favorite plugins. That’s just ridiculous and holds back creativity. The only thing that should be discussed is making the developers keep the plugins, that are bundled, more or less separated from the theme’s files so they get updated just like a plugin that was installed on it’s own. It’s that easy.

    I was a .net web developer, I use to build everything from scratch in a past life. Now I use WordPress and themeforest themes (and other themes) and they are awesome if you get the right ones from the good developers. Incorporating good plugins with a WordPress theme is really no different than incorporating good .NET controls into a .NET website such as Telerik or Component One. When they found XSS vulnerabilities that were caused by Telerik controls did you hear ANYONE start a fire about how Telerik controls should not be used for .Net websites? No, they got patched just as this will do. The only thing that should be in question is whether the plugins that are used in a theme can be updated easily just as if they were purchased separately. Also, not Envato’s fault. Clearly lies on the shoulders of the developers and the end users. Envato is just a store more or less.

    Don’t hold back a developer from their vision. Revolution Slider is a great slider. I use it often and prefer it over most of the others. What happens when WordPress has another security flaw? Are all the Chicken Littles going to cry how all WordPress websites should not use WordPress anymore? Might as well shut your whole computer down and just walk away from the digital world now.

    I use Wordfence and Sucuri plugins, Wordfence has autoupdate activated. All my sites were protected automatically within hours.

  10. Can we please not forget that MojoMarketplace sells a lot of themes that has Revolution slider integrated. What makes the situation worst with MojoMarketplace is that they have first-hand access to more new WordPress users. The fact is that their theme market is integrated into the cPanel ‘1-Click Install’ interface of a lot of shared web-hosts. For a lot of new users to WordPress a shared web-host is the place to go (cost). When these new users want to make their website look good, MojoMarket place is being actively pushed on them by the web-host.

    After having read a lot of discussions on the ‘shittiness’ of ThemeForest, especially since this RevolutionSlider security ****, where is the mention of MojoMarketplace. Aren’t they second largest market place? I bought the Frisco theme by CreativeSmitten from Mojo. That theme has version 3.0.95 of the Revolution slider. I recently went to check for an update on Mojo… the theme is not listed. What is worst is there is no mention of Revolution Slider security breach anywhere on their site.

    Where is the finger pointing at Mojo Marketplace? At least ThemeForest took the issue head-on. The publicly listed and all themes using the plugin, both with safe versions and unsafe versions.

    BTW… I have not against Mojo, nor do I have anything for TF

  11. Hi @Polly,

    When I read this line I thought "Really?!?"

    Respected professionals in the WordPress community have been calling on theme authors to keep plugins separate for years. This situation has renewed the debate:

    Of course I'm always willing to admit I'm missing something so I read Pippin's tweet and then tweeted him to ask him why. He replied which then turned into a long Twitter exchange followed by an even longer Skype discussion (to keep my followers from getting a 1000+ tweets!) It took a while for me to discover but I think that it appears you misunderstood Pippin's tweet like I misunderstood his tweet. I now understand that he was only talking about commercial plugins and that he meant:

    “This is why ENVATO should never permit bundled plugins in themes:…”

    Instead of:

    “This is why YOU should never permit bundled plugins in themes:…”

    As Pippin repeated to me that themes should not bundle plugins I pointed out it wasn't a technical issue causing the problem but instead a business decision. As he said (effectively): "No buy, no updates", and he mentioned that Gravity Forms has the same problem and policy. I replied that I thought both he and Gravity Forms were being short-sighted; more on that in a bit.

    He also said that the theme vendor sending the customer to buy the commercial plugin was the "right" thing to do and I pointed out that "right" was a values judgment and that values are subjective (and also often biased in the favor of the value holder, though I didn't mention that part at the time.) So we agreed that "right" vs. "wrong" was not a good way to approach this issue.

    Back to the "short sighted" part: I said I thought it was short-sighted of commercial plugin vendors to view themers that bundle their plugins as being the problem and instead that I believed the plugin vendors would be much better off viewing the themers as valued channel partners. If plugin vendors actively encouraged bundling but also included an updater that would give one free update in exchange for registration then the plugin vendor would benefit greatly from wider brand exposure and the theme buyer would get all current patches.

    Once the theme buyer registers for their update the plugin vendor would then have a sales opportunity to give the theme buyer a one-time offer for a slightly discounted "support" agreement that could, for example, include upgrades for a year and security patches for 2 years. With this plugin vendors would likely get sales from people they previously would not sell AND would grow their prospect database significantly for future upgrades and new products. It seems so much like a win-win to me all around that I'm surprised that Pippin did not appreciate the value of growing a large database of future prospects with little to no effort on his part.

    But although I think Pippin grudgingly agreed I think primarily he was still focused on business-as-usual where the concern is that the theme buyer had not paid him anything "so that person didn't deserve support." (But it is very possible that I misunderstood his position so don't take this as gospel.)

    Pippin also said that it was a support issue because the customer would be confused about who to go to for support but my take is that an appropriate configuration and update process could easily make that clear. We didn't really belabor this issue, though.

    Finally, we did agree that the real problem is Envato not putting down guidelines that address these issues. I personally don't blame Envato for the past as hindsight is 20/20, but would expect them to address this issue post haste.

    But we diverged again in that Pippin also thinks Envato should deny bundling whereas I think it would be better for everyone if Envato were to ensure bundled plugins that work with a script they provide that ensures all plugins are updated unless the buyer was unwilling to agree to the terms of update (i.e. plugin registration.) Then Envato could work with leading plugin vendors to rally support for the "one update in exchange for a registration" policy.

    Note that I ran a catalog mail order retailer for 12 years that sold software components and tools for Visual Basic and later for .NET with $12 million in annual revenue at peak. Basically we were the Envato of the Visual Basic era, so I do have a bit of relevant experience here.

    In summary, I strongly disagree with the assertion that "theme authors should keep plugins separate" is a "best practice" and the above explains why.

  12. btw. Why people use sliders and all kind of ”fireworks” on website ?
    I really don’t remember if I clicked on any kind of blinking or fancy staff on website.
    Mostly what I see on that kind of website, its just that it loads 5+ seconds, then I close it and no chance to read content there.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: