A couple days ago we wrote about a critical security vulnerability that was found in the popular WordPress Slider Revolution plugin and silently patched by its author. Envato Market has since launched further investigation of the matter, as the product is not only hosted on their marketplace but also packaged with many other products.
The company has identified more than 1,000 themes sold through its marketplace that are potentially affected by this vulnerability. While many of the products have already been patched, some theme authors have not yet acted. In recognition of the severity of this vulnerability and the ease with which it’s exploited, the marketplace is temporarily disabling themes that have not yet been patched:
We are starting to temporarily disable affected themes that haven’t been updated, contacting authors of those themes to get an update through ASAP. This will take a while as there are a lot of themes to manually sort through.
Even with the products getting patched, the next challenge is to get users to update. Many themes do not have an auto-update system included to notify users and WordPress users do not always apply updates as soon as they are available, for fear of breaking something. Envato Market is addressing this by emailing users to inform them of the security vulnerability:
We will be contacting all buyers of affected themes directly via their Envato Market email address asap, to ensure they read and act on this information.
Envato Market published detailed instructions to help users determine if they are affected and update accordingly.
The Danger of Bundling Plugins With Themes
When a security vulnerability potentially affects more than 1,000 products, silent patching is not acceptable. This should have been publicly disclosed by the ThemePunch team at the time it occurred, which might have prevented this vulnerability from being actively exploited in the wild.
At the end of the post, Envato Market highlights what they are doing to ensure that this doesn’t happen again:
We will be releasing guidelines and processes to make sure issues like this get to us faster, and to help authors make sure their buyers are updated and patched as fast as possible.
We are also going to revisit how updates are handled for bundles and themes that include separate plugins.
Unfortunately, “more guidelines and processes” do not address the root of this problem. This vulnerability highlights the danger of allowing theme authors to bundle plugins in their products. Envato Market would have no need to list out 1,000+ potentially affected themes if it discouraged, or even forbade, theme authors from bundling plugins.
Since the vast majority of Envato’s top-selling themes do not follow industry best practices, forbidding them to bundle plugins would most certainly result in a loss of profit. There seems to be little incentive for Envato Market to act decisively on the lesson of this security vulnerability and move toward best practices.
Respected professionals in the WordPress community have been calling on theme authors to keep plugins separate for years. This situation has renewed the debate:
— Pippinsplugins (@pippinsplugins) September 5, 2014
Historically, Envato has been slow to act on theme best practices. Last year’s addition of a GPL licensing option and the updated theme submission requirements were a good start, but authors have found ways to skirt the requirements. Justin Tadlock offers some insight on this practice, following his Themeforest experiment:
Based on what I’ve seen in the forums, many authors are just looking for ways to do what they’ve already been doing but just putting it in a plugin packaged with their theme. Basically, they don’t want anyone to “steal their code” nor do they want to truly make a wonderful user experience, one in which users will keep coming back long after they’ve switched to a new theme. If you package your plugin functionality into a plugin that’s only ever going to be useful with your theme, then you’re _doing_it_wrong(). That’s what I envision, but I hope that’s the sort of thing Envato will take a stand against. Otherwise, you’re just pulling the same ol’ tricks in a different costume.
This experience prompted Tadlock to continue building standalone plugins that theme authors can add support for when building their products. This frees theme authors up to focus on the theme itself and offer better data portability for users via plugins. Adopting a standard for plugin functionality is good for users and creates less work for theme authors. They can continue building more themes, instead of wasting time patching their themes for a slider’s security vulnerability.
WordPress is now used by more than 23% of the world’s websites and will always be a target for hackers looking to exploit vulnerabilities. If Envato Market doesn’t take a stand against theme authors packaging plugins, it will continue to encounter the same security problems that are topping the headlines this week.