Earlier this week, one of the largest coordinated efforts between WordPress plugin authors, Sucuri, and the WordPress security team resulted in a number of popular plugins receiving security updates. Due to inaccurate information within the WordPress codex, a number of developers improperly assumed the add_query_arg() and remove_query_arg() functions would properly escape user input.
When combined, Themeforest and CodeCanyon sell nearly 8.8K WordPress items. Stephen Cronin, Quality Team Leader for Themeforest and CodeCanyon, has published an official forum post that describes the vulnerability and how sellers can check for it within their items. If items you sell use the following code, it is likely affected.
- TGM Plugin Activation class
TGM Plugin Activation is a PHP library created and maintained by Thomas Griffin and Gary Jones that allows developers to require or recommend plugins for themes or for plugins. It allows users to install and even automatically activate plugins in singular or bulk fashion using native WordPress classes, functions, and interfaces. Sellers should review their code and follow the guidelines published on the Make WordPress plugins site.
While auditing the TGM Plugin Activation class, a XSS vulnerability was discovered. The TGM Plugin Activation class has since been updated despite the version number not being changed. If you’re a seller and use this class, you’ll need to update to the latest version of TGM Plugin Activation and update your item to include the latest version.
If you use OptionTree, the marketplace review team is confident that all instances of add_query_arg and remove_query_arg have been escaped properly. There will be an update in the future that escapes these functions you should include in your item, but you shouldn’t delay updating your items while waiting for the update.
The Redux framework also uses add_query_arg and remove_query_arg, but most are escaped appropriately. There are a few questionable areas within the theme that the review team will provide updates on once they receive clarification.
Theme authors who have bundled affected third-party plugins will be contacted by Envato in the next few days to update your theme. You’re encouraged to check bundled plugins before this time to see if they’re affected.
According to Cronin, all WordPress specific items are being evaluated. Once the evaluation is complete, buyers who purchased an affected item will be notified. There’s no time frame on when the evaluation will be completed, however, Cronin says it is a priority and progress reports will be published in this forum thread.
All Hands on Deck
Cronin says, “When submitting an update that addresses these issues, please include a note mentioning it’s related to the XSS vulnerability. This will allow us to prioritize the review of updates.”
Unlike the WordPress.org plugin directory, Themeforest and CodeCanyon only provide and notify buyers of updates if they register with the update system. It’s not an optimal upgrade routine and one that requires buyers to opt-in instead of opt-out.
It’s important that sellers on Envato’s marketplaces do their part to check and patch any XSS vulnerabilities discovered. It’s also important the lines of communication remain open between the marketplaces and buyers so they can update purchased items as soon as possible. If you do business with Themeforest or CodeCanyon, be on the lookout for updates to items you’ve purchased.
“…only provide and notify buyers of updates if they register with the update system”
– I’ve never heard of the update system before… how does one opt-in?