WooThemes Fixes XSS Vulnerability in Products Using the prettyPhoto Library

WooThemesFeaturedImage2Jeff Ikus of WooThemes, announced on the company’s themes development blog, that it has pushed out updates to all of its products that use the prettyPhoto library. The update fixes a DOM based cross-site scripting vulnerability discovered in 2014.

prettyPhoto is a jQuery lightbox clone used in a potentially large number of WordPress products. If you use a WordPress plugin or theme that relies on prettyPhoto, please get in touch with the author to make sure they’re aware of this security vulnerability. If you use the prettyPhoto WordPress plugin, make sure it’s running version 1.2 as it contains the patched library.

Risky Business

In 2011, TimThumb made headlines when a major security vulnerability was discovered and used to hack into several websites. At the time, Ben Gillbanks, the library’s maintainer, estimated 95% of all commercial WordPress themes supported TimThumb.

At the end of 2014, a security vulnerability was discovered in the Slider Revolution plugin that allowed more than 100k websites to be compromised.

Using third-party scripts and libraries is not a bad thing. The practice however, comes with a set of risks. It’s up to developers to be vigilant and accept the responsibilities that come with relying on a third-party. It’s also imperative that developers do everything they can to update their products and users when a security vulnerability is discovered.

If you’re a developer, let us know the criteria in determining which third-party scripts, libraries, and tools you use.

4 Comments


  1. Well, that’s a little unnerving. Why can’t all hackers just join in on the endless parade of clumsy brute force bot attacks on /wp-admin? What are your recommendations for reads for newbies or non-techies, so that they can familiarize themselves with potential security risks, and how to evaluate them?

    Report


  2. A quick check of builtwith shows that my site is using the jQuery prettyPhoto library potentially as a part of multiple plugins or themes. Is there a easy way to find out which plugins these are so I can check with the authors they’ve patched the problem??

    Report

Comments are closed.