Top 10 Vulnerable WP Themes

De una muestra de 1000 blogs un 11.5% es vulnerable a XSS…

Utilizando wp-scanner en BlogSecurity han analizado 1000 blogs creados con WordPress para descubrir las plantillas que son vulnerables a ataques XSS.

El resultado sin duda llama la atención ya que se han encontrado 115 blogs (un 11.5% del total de la…

Top 10 Themes Vulnerables para Wordpress…

Hace un tiempo atrás, les comentaba sobre wp-scanner, una aplicación en la cual puedes enterarte de que tan seguro es tu blog.
La gente de BlogSecurity, creadores de esta aplicación, después de hacer un scanner en 1000 blog’s, han detectado …

Guys, not sure if it is the best idea to post the list of themes and telling the readers that those are vulnerable to XSS.
I like your scanner which is basically a good idea and an interesting starting point but I think that some security holes are not produced by the theme but by a pugin.

I run this scan with an activated social bookmark plugin and found out that I was XSS vuln. I checked all lines of the (theme)code – I was sure that there was nothing and I didn’t found s/thing dangerous.

By deactivating this widget(I checked also all plugins after the scan)the theme was considered as safe again. So what I’m saying is that it might be not the theme and esp. with popular themes and common plugins / widgets you could show a wrong picture.

Frank, thanks for the comments. We did have a good think about this before making some of these results public.

Only the top 10 themes were chosen for the reason you have mentioned. However, as you can see in the results, the vulnerability affects multiple installs of the same theme.

If this incident was isolated to a sidebar widget, then I think we would see different results. Furthermore, if the vulnerability is due to a widget that ships with the theme, then it is still the theme that is affected with the vulnerable software. We will of course, do our best to always give an accurate picture when analysing the results. I hope this satisifes your concern. Thanks again for your comments.

David, do you say that the scanner can clearly differetiate between an XSS vuln caused by the theme or by a plugin which is not in your list?

Frank, it really depends on the plugin and what it does. If you think you have this situation please send us some more details, and we’ll look into it for you.

[...] to this worry is the announcement by Blog Security of their “Top 10 Vulnerable WordPress Themes”, a list of Themes which feature some of the common WordPress template [...]

[...] BlogSecurity » Top 10 Vulnerable WP Themes The link has more info about this. Thanks to Lorelle for the heads up! (Note: I love Tarski and [...]

[...] WordPress BlogWatch 去看看有沒有佈景主題或者外掛相關的弱點訊息，而 Top 10 Vulnerable WP Themes 這篇則是統計了一些有 Cross-Site Scripting 弱點的佈景主題，樣本是透過 [...]

[...] Top 10 Least Secure WordPress Themes. [...]

[...] an organization that deals with web blog security recently posted a list of the top 10 WordPress themes that are vulnerable to Cross-Site Scripting due to template [...]

[...] A Top10-List of vulnerable themes [...]

[...] Update your blogware if you host your own blog. That means, use the newest version of WordPress. Make sure your blog’s theme is up-to-date and secure as well. Don’t use these themes. [...]

[...] For More Information visit http://blogsecurity.net/wordpress/article-050807/ [...]

i’m still baffled by this list. it seems like horribly shoddy research on your part, and possibly libel, to suggest that these themes are vulnerable, to not do the due dilligence to find out if they’ve been updated, or to contact the authors before listing their themes.

tarski, for instance, like most themes, uses get_bloginfo(), rather than $_SERVER['PHP_SELF'].

libel? :)

There was alot of controversy about this post, and at some point i’ll release part 2.

There is really nothing "shoddy" about it. The vulnerability’s covered here are not just limited to PHP_SELF in the header.

If you’d like to start hunting down theme authors be my guest – I hate to sound careless but I have better things to do with my time and most of them are aware of this post by now.

[...] שלתבנית שאנחנו משתמשים אין חורים באבטחה| פלאגין: [...]

I’ve built several blogs for clients lately using Tarski, because I found it so flexible. So my heart sunk when I saw that it was on your list. I don’t know when the list was updated last, so I thought I’d inquire whether you have any new information about vulnerabilities in the Tarski theme. OMG, I hope the versions I’ve used are OK!

Thanks for your help.

[...] hackers to add their pieces of code to your blog – and attack your visitors. There’s even a scanner for [...]

Hi Carla, I’ve just checked the Changelog of the theme, and there are two Security issues reported to be closed, one is in the linked post mentioned search Cross Site Scripting Problem and the other one is mostly the problem about the PHP_SELF thing(mentioned in Adams Comment abit above). So it seems that this theme doesn’t suffer under vulnerabilites, but we can’t tell it for sure as we didn’t made a full audit for it.
Just some late addition to Adams Post within the Changelog you find some weeks before your Post a entry about a possible security hole, mostly the mentioned problem by Adams comment. So this theme was indeed vulnerable when this post was created.

[...] was surprised to find WP-Multiflex-03 listed in the post ”Top 10 Vulnerable WP Themes“on [...]