WordPress Theme OptimizePress Contains Security Vulnerability

Osirt LogoOsirt, a malware security company is reporting that the WordPress theme OptimizePress contains a significant security vulnerability. According to the security bulletin published a few days ago, the problem lies within the Media-upload.php file. When a browser loads this file within the theme, the media upload screen appears. From here, malicious users can upload php files and execute them on the server.

So far, OptimizePress has not made any public statements regarding the security bulletin. Their Twitter account has been inactive since March of 2013. Judging by the comments on the Osirt article, it looks like this vulnerability may be limited to version 1 of the theme.

An initial look on my OP2 install doesn’t show this file: wp-content/themes/OptimizePress/lib/admin/media-upload.php exists at this location. The OptimizePress directory is called OptimizePressTheme in OP2 and even if you follow that tree, there isn’t a media-upload.php. – CourageDragon

If you are using version 1 of OptimizePress, you’re encouraged to set your desired “Coming Soon” image and then rename or delete wp-content/themes/OptimizePress/lib/admin/media-upload.php. It’s also worth noting that even if OptimizePress version one is not activated, the media-upload file can still be accessed.

Thanks to Len in the comments, he shared this support link via the help area of OptimizePress that specifically notes the security vulnerability in version 1 of their theme. Those who are using OptimizePress 2.0 or later are not at risk.


  1. @Scott – Based on the research I conducted before publishing this post, no. Also, there are two different OptimizePress versions. 1.0 and 2.0. I don’t have access to the new theme but based on comments in the article I linked to above, the 2.0 version of the theme does not have a media-upload.php file.


  2. @Mika E. (Ipstenu) – I too noticed the Fauxgo on their site. They also don’t have an announcements blog or an easy way to get in touch with them.


  3. @Mika E. (Ipstenu) – A lot of people outside the WordPress community don’t know what the real logo looks like. I have even see the Fauxgo on a fairly credible journal where I think Matt was interviewed on. Can’t remember whether it was Forbes or WSJ.


  4. @Mika E. (Ipstenu)

    …but I was highly amused that they have a Fauxgo

    There’s usually a high correlation of Fauxgo and non-GPL licenses for WordPress Themes, as is the case here.


  5. It’s complete B.S. that OP has nothing on their site addressing this. All the threads listed above have been deleted!! This should be their #1 priority right now and they should have a highly detailed fix/repair post on their site with a video training. I have almost 10 sites right now affected with this freaking malware issue. Anyone have a great solution link?


  6. Does anyone know how to fix a site that is already infected because of this flaw?


Comments are closed.