WordPress Theme OptimizePress Contains Security Vulnerability

Osirt LogoOsirt, a malware security company is reporting that the WordPress theme OptimizePress contains a significant security vulnerability. According to the security bulletin published a few days ago, the problem lies within the Media-upload.php file. When a browser loads this file within the theme, the media upload screen appears. From here, malicious users can upload php files and execute them on the server.

So far, OptimizePress has not made any public statements regarding the security bulletin. Their Twitter account has been inactive since March of 2013. Judging by the comments on the Osirt article, it looks like this vulnerability may be limited to version 1 of the theme.

An initial look on my OP2 install doesn’t show this file: wp-content/themes/OptimizePress/lib/admin/media-upload.php exists at this location. The OptimizePress directory is called OptimizePressTheme in OP2 and even if you follow that tree, there isn’t a media-upload.php. – CourageDragon

If you are using version 1 of OptimizePress, you’re encouraged to set your desired “Coming Soon” image and then rename or delete wp-content/themes/OptimizePress/lib/admin/media-upload.php. It’s also worth noting that even if OptimizePress version one is not activated, the media-upload file can still be accessed.

Thanks to Len in the comments, he shared this support link via the help area of OptimizePress that specifically notes the security vulnerability in version 1 of their theme. Those who are using OptimizePress 2.0 or later are not at risk.


12 responses to “WordPress Theme OptimizePress Contains Security Vulnerability”

  1. Scott says:

    Has this been fixed?


  2. Jeffro says:

    @Scott – Based on the research I conducted before publishing this post, no. Also, there are two different OptimizePress versions. 1.0 and 2.0. I don’t have access to the new theme but based on comments in the article I linked to above, the 2.0 version of the theme does not have a media-upload.php file.


  3. The 1.52 version seems to be okay (I managed to find one to test on), but I was highly amused that they have a Fauxgo



  4. Jeffro says:

    @Mika E. (Ipstenu) – I too noticed the Fauxgo on their site. They also don’t have an announcements blog or an easy way to get in touch with them.


  5. Len says:

    Don’t know if my previous comment went through. If it did then delete this one. :)

    I found this on their support site.



  6. Jeffro says:

    @Len – Thanks for the link Len. That explains it then.


  7. Syed Balkhi says:

    @Mika E. (Ipstenu) – A lot of people outside the WordPress community don’t know what the real logo looks like. I have even see the Fauxgo on a fairly credible journal where I think Matt was interviewed on. Can’t remember whether it was Forbes or WSJ.


  8. Chip Bennett says:

    @Mika E. (Ipstenu)

    …but I was highly amused that they have a Fauxgo

    There’s usually a high correlation of Fauxgo and non-GPL licenses for WordPress Themes, as is the case here.


  9. Jarrett Holmes says:

    It’s complete B.S. that OP has nothing on their site addressing this. All the threads listed above have been deleted!! This should be their #1 priority right now and they should have a highly detailed fix/repair post on their site with a video training. I have almost 10 sites right now affected with this freaking malware issue. Anyone have a great solution link?


  10. Sergio Felix says:

    Does anyone know how to fix a site that is already infected because of this flaw?



Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: