Jeff Ikus of WooThemes, announced on the company’s themes development blog, that it has pushed out updates to all of its products that use the prettyPhoto library. The update fixes a DOM based cross-site scripting vulnerability discovered in 2014.
prettyPhoto is a jQuery lightbox clone used in a potentially large number of WordPress products. If you use a WordPress plugin or theme that relies on prettyPhoto, please get in touch with the author to make sure they’re aware of this security vulnerability. If you use the prettyPhoto WordPress plugin, make sure it’s running version 1.2 as it contains the patched library.
In 2011, TimThumb made headlines when a major security vulnerability was discovered and used to hack into several websites. At the time, Ben Gillbanks, the library’s maintainer, estimated 95% of all commercial WordPress themes supported TimThumb.
At the end of 2014, a security vulnerability was discovered in the Slider Revolution plugin that allowed more than 100k websites to be compromised.
Using third-party scripts and libraries is not a bad thing. The practice however, comes with a set of risks. It’s up to developers to be vigilant and accept the responsibilities that come with relying on a third-party. It’s also imperative that developers do everything they can to update their products and users when a security vulnerability is discovered.
If you’re a developer, let us know the criteria in determining which third-party scripts, libraries, and tools you use.