Headway 3.8.9 Patches Potential XSS Vulnerability

If you noticed an update for Headway, it’s not your mind playing tricks. Late last week, Headway Themes released version 3.8.9 to patch a potential security vulnerability involving the license key field. The vulnerability was discovered and reported to Sucuri by Gary Bairéad, a former Headway Themes employee.

At the time of writing, the company has not publicly announced the availability of 3.8.9 to customers. The update comes more than a month since founders Grant and Clay Griffiths issued an apology for the lack of customer support and communication.

Lack of Communication and Support Continues

Since the apology was published, the company’s blog and social media accounts have remained silent. Bairéad continues to use his site to update the public on the status of Headway Themes. In his most recent post, Bairéad published a number of screenshots that show the company is still not providing the level of support advertised on its site.

One Month Progress Report

I reached out to Grant and Clay Griffiths to find out what progress they’ve made on providing “a first level of support service” as mentioned in the apology, what steps they’ve taken to rebuild the business, and if they have any comments on Bairéad’s article.

“Support is being provided and updates have been and will continue to be pushed,” Grant said. “We are also in contact with Influx to further improve our support,” Clay said.

Influx provides customer support for companies, including those in the WordPress ecosystem such as Advanced Custom Fields. Influx has elastic pricing allowing companies to pay for the amount of support they need. Prices start at $199 per month and increase as the number of responses increases.

While the Griffiths did not recognize unpaid staff in their apology, former employees have since received partial payments of the money they are owed.

Community Is Optimistic About Headway Fork

While the future of Headway Themes and its product remain in limbo, many in the community are optimistically supporting a fork called Blox Builder. Blox is a fork of Headway 3.8.8 created by Maarten Schraven that is 100% GPL licensed.

Headway is Not 100% GPL

According to Headway Theme’s terms of service, “All WordPress themes produced by Headway Themes, LLC are released under the GPL version 2.0 license.”

A key difference between Blox and Headway is that Blox doesn’t use Redactor.js, a WYSISWYG editor. The script is $199 and its license agreement makes it incompatible with the GPL.

Upfront, a product created by WPMU Dev launched with Redactor.js. In the launch post, James Farmer, founder and CEO of WPMU Dev, confirmed that everything in Upfront is GPL except for Redactor, “Everything in Upfront is currently 100% GPL, with that exception, as they won’t let us… we’ve asked,” he said.

At best, Headway is split-licensed but there is no verbiage on the site that informs customers. Considering Clay is a co-owner of a WordPress business that sells a product that is not 100% GPL, should he be able to sponsor WordCamps advertising Pressmatic? According to the WordCamp organizer handbook, no.

If users and customers want to support a 100% GPL product that’s actively developed, check out the community-driven fork. Blox recently came to a consensus on pricing and are offering a 40% discount with three months of extra support and updates for former Headway customers.


19 responses to “Headway 3.8.9 Patches Potential XSS Vulnerability”

  1. Why is GPL here even remotely important to anyone except for the wordpress foundation? does it make the code better or worse? probably not.

    If the wordpress foundation thinks they have a case (which they don’t) they should simply sue instead of playing the shaming game about something 99% of wordpress users don’t care about.

    • I’m in the 1% too.

      The reason people care about the GPL is due to the 4 freedoms it provides to users.

      When the developer of b2 went awol, it was the GPL that gave Matt Mullenweg and Mike Little the freedom to fork it and create WordPress.

      Those same freedoms allow people to fork (most of) Headway if they wish to, if they’re unhappy at giving Vesped Inc up to $199 for support they’ve been unable to access for several months.

      Ftr, I’m not active in forking Headway, but I support the freedom of others to fork it if they want to.

      • With Jeff the cultural reference is funny, after that it is just a joke told too many times. 99% (and I am being conservative here) of wordpress users do not care, and 90% of wordpress developers do not understand what does it mean. The fact that there are people in the 1% is obvious as this will include the explicitly mentioned wordpress foundation.

        I would guestimate that all envato products are not GPL compliant explicitly or implicitly which will make 40-50% of all actively maintained plugins and theme non compliant.

        if you really cared about freedoms you would have used a BSD style license as a license and avoid a restrictive license like GPL.

    • The GPL is important for three reasons in this case. First, because of WordPress itself, and, unless Headway is written with absolutely no WordPress functions, (which I doubt) it’s a derivative work. Second, listing a theme as 100% GPL when you’re including a library that isn’t GPL at all, or at least compatible with it, is a blantant falsification. Third, 90% of users don’t care about the GPL, but that’s because, for the time being, they’re not being restricted in what they can do with WordPress ans associated plugins, themes, and other products. If that ever becomes a problem, they’d care real quick. And it’s our job as developers to protect the rights that the GPL grants users. The 1% is supposed to care about it and abide by it so the 99% can afford to not care about it.

      • 1. it is time that you either sue or just stop spreading misinformtion. The court has decided many times in many different ways that the wordpress foundation has no legal ground here. This is the most famous and last one – https://en.wikipedia.org/wiki/Oracle_America,_Inc._v._Google,_Inc.#Second_trial.
        Seems like wordpress foundation is the only notable group in the open source world that cheered for oracle.

        2. yes, it is lying and people that engage knowingly in that should be shamed, but as most developers are not lawyers and do not consult lawyers I will not be surprised if detailed examination will find many themes and plugins that are also guilty in copyright violation of some kind. For example the license of stackexchange required up to February this year to add a link to the question from which you copied your code from in your code. Most people do not do it and therefor are in copyright violation, and they can not reassign the license to that code and that specific required comment can not be modified which makes it non GPL compliant.
        So if you are going to complain about headway please complain about all the others that include some code from SE but still claim that they are GPL.

        3. How is treating bad people that dare to do anything which is not GPL protects anything? it is just an abuse of power, nothing more.

  2. I am concerned that, as a former developer of add ons for Headway, folks are still renewing their subscriptions, and I am not being paid my share of that renewal.

    This is obviously doing the wrong thing by me, but also the customers who are renewing in good faith.

    Renewals are decreasing each month – e.g. for September I am owed $206 but half way thru October it’s only up to $31. So folks are catching on.

    I am owed for sales and renewals back to April this year, except for May, which was paid out of order – prob coz it was much less than April.

    If anyone wants to transfer their licence to my system, please contact me thru pizazzwp.com


    PS Regards the GPL, I think it’s great for rescuing a dying product or forking an old one… but shouldn’t be used for forking a live and active commercial product to then compete head on with that product. 2c

  3. What remains of Headway as a brand under the current ownership is irreparable. It would be in the interest of everyone involved if the Griffiths sold Headway.

    Everybody could move on; we could get support, staff and developers could get paid, Clay could wipe the slate clean and build Pressmatic and Grant could return to work as an attorney.

    The Headway community does not need Grant and Clay. The fork demonstrates this. Grant and Clay need to realize that they are the problem, they should hand over the reigns to somebody else.

  4. I’m a Headway customer. Maybe soon to be Bloxtheme customer. However I don’t really use it for any new sites for about 12 months.

    Anyway, my 2 cents.

    What I would like to see is:

    1. Headway back on their feet and supporting customers

    2. A new roadmap for the current “age”. By that I mean… drag and drop for individual pages – hardly relevant now. Headway / Blox doesn’t need to try to push forward on this. There are better tools for this content design aspect. Headway is great for setting up the blocks and structure.
    Dynamik Website Builder for instance as far as I am aware has no plans to create huge new features – just to do what it does very well incrementally better.
    Headway will not attract, and will likely loose all customers that can do better with Beaver Builder, but it can retain a lot of low maintenence customers that need a good WP starting point. Myself for example – customer 2 years and never needed to submit support ticket (not that I remember anyway – maybe a forum post or something).
    Headway could target these customer types and survive.

    As part of this roadmap – move to 100% GPL now that it’s become something of the discussion.

    Also…I say this as customer. And somebody that has suffered great pressure and stress in my work at times over the years. When something goes wrong, it can be horrible. We have seen HeroPress, Cory Miller and others come out with stories about such things.
    I know that if you are under great stress and public pressure … especially finanically… that even going near to a project surrounded by so much negative energy can be really hard. Almost to the point that opening code editor on a project can create some very negative feelings.

    On that note… I applaud the news about outsourcing some first line support to Influx…to keep the project going and create some distance from the front line and get things behind the scenes sorted out.

    I also sympathise with the employees that have not been paid / partially paid. I was around for the dot-com bubble…it happened to me 3 times in a row. Fortunately…cream rises and I know those skilled ex-headway people will likely do just fine – because they are very very smart people.

    In a nutshell, I would love to see some positive energy and encouragement from here on in. Even if we split the discussion of GPL within the theme into a totally different disucussion. Of course this matters, but it matters not if Headway as a company and theme disappears completely. The owners 100% need to to commit to some ongoing dialogue. However, there may be legal reasons that they can not. So I wanted to put it out there that this a concern for everyone. The owners of Headway are likely having a bad time of it too – currently a great business they had has fallen to pieces and it’s reputation is in tatters. But … it can be rebuilt.

    But thank you WP Tavern for keeping tabs on everything. Absolutely – somebody has to, and it’s likely your input is forcing some movement. And thumbs up to the others doing great positive things to keep informed…and Blox theme – well done you guys.

  5. Myself for example – customer 2 years and never needed to submit support ticket (not that I remember anyway – maybe a forum post or something).

    Lucky you. I paid Grant and Clay Griffiths for a usable version of Headway 4 and 12 months of support.

    I haven’t gotten either of those.

    They sold us a theme that they knew didn’t work because they needed the cash.

    They’ve lied to us about support for months.

    They haven’t paid developers for sales of their own products going back to April.

    They haven’t paid support people going back to May.

    Are they going to pay Influx.com with the cash they haven’t sent Chris for sales and renewals of his own products for the past six months?

    If this was any other industry Headway would be in court by now.

    Oh, and they lie about Headway being 100% GPL for good measure.

    • I sympathise totally.
      Assuming there is mostly no money, what’s your suggestion for moving forward…?

      From the sounds of it you haven’t invested heavily with client sites (on the basis you purchased v4). Many people have a wider concern about client sites. I’m in that boat. So I hope for your sake it was just a waste of money non starter. Still… Annoying and that’s you money.

      I would say that this isn’t different to any other industry. Headway is a company and will go the same way any business in trouble will go… Eventually some kind of liquidation of assets sold to highest bidder.

      I wouldn’t be surprised if a rescue package is in process now from some buyer. Regardless, the headway homepage should stop taking purchases.

      For now, without a big financial turn around I doubt anyone is getting their money back.

      I doubt there is much point trying legal action for customers. But for staff not paid… They are the guys I feel for most.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: