Please note that many of the themes mentioned here do have new releases of their themes that address these issues, so please check your version!
In June we wrote an article on common WordPress template flaws and thought we’d follow up on this.
The following results were taken from the latest 1000 scanned blogs (see wp-scanner), and whose templates were found vulnerable to Cross-Site Scripting.
| Theme | Number of blogs | Fixed version available? |
| 1. field-of-dreams-02 | 7 | Unknown |
| 2. tarski | 7 | Unknown |
| 3. mandigo-14,1.22 | 7 | Unknown |
| 4. connections | 9 | Unknown |
| 5. default | 10 | FIXED |
| 6. freshy | 10 | Unknown |
| 7. redoable | 15 | Unknown |
| 8. k2 | 16 | Unknown |
| 9. vistered-little-1.6a | 16 | Unknown |
| 10. wp-multiflex-3 | 18 | FIXED |
The above themes were using the default style name. This allowed us to group them, however, 220/1000 blog templates tested had obvious vulnerabilities. Some of these themes are known to have other serious security holes as well.
Comments
De una muestra de 1000 blogs un 11.5% es vulnerable a XSS…
Utilizando wp-scanner en BlogSecurity han analizado 1000 blogs creados con WordPress para descubrir las plantillas que son vulnerables a ataques XSS.
El resultado sin duda llama la atención ya que se han encontrado 115 blogs (un 11.5% del total de la…
Top 10 Themes Vulnerables para Wordpress…
Hace un tiempo atrás, les comentaba sobre wp-scanner, una aplicación en la cual puedes enterarte de que tan seguro es tu blog.
La gente de BlogSecurity, creadores de esta aplicación, después de hacer un scanner en 1000 blog’s, han detectado …
Guys, not sure if it is the best idea to post the list of themes and telling the readers that those are vulnerable to XSS.
I like your scanner which is basically a good idea and an interesting starting point but I think that some security holes are not produced by the theme but by a pugin.
I run this scan with an activated social bookmark plugin and found out that I was XSS vuln. I checked all lines of the (theme)code - I was sure that there was nothing and I didn’t found s/thing dangerous.
By deactivating this widget(I checked also all plugins after the scan)the theme was considered as safe again. So what I’m saying is that it might be not the theme and esp. with popular themes and common plugins / widgets you could show a wrong picture.
Frank, thanks for the comments. We did have a good think about this before making some of these results public.
Only the top 10 themes were chosen for the reason you have mentioned. However, as you can see in the results, the vulnerability affects multiple installs of the same theme.
If this incident was isolated to a sidebar widget, then I think we would see different results. Furthermore, if the vulnerability is due to a widget that ships with the theme, then it is still the theme that is affected with the vulnerable software. We will of course, do our best to always give an accurate picture when analysing the results. I hope this satisifes your concern. Thanks again for your comments.
David, do you say that the scanner can clearly differetiate between an XSS vuln caused by the theme or by a plugin which is not in your list?
Frank, it really depends on the plugin and what it does. If you think you have this situation please send us some more details, and we’ll look into it for you.
[…] to this worry is the announcement by Blog Security of their “Top 10 Vulnerable WordPress Themes”, a list of Themes which feature some of the common WordPress template […]
[…] BlogSecurity » Top 10 Vulnerable WP Themes The link has more info about this. Thanks to Lorelle for the heads up! (Note: I love Tarski and […]
[…] WordPress BlogWatch 去看看有沒有佈景主題或者外掛相關的弱點訊息,而 Top 10 Vulnerable WP Themes 這篇則是統計了一些有 Cross-Site Scripting 弱點的佈景主題,樣本是透過 […]
[…] Top 10 Least Secure WordPress Themes. […]
[…] an organization that deals with web blog security recently posted a list of the top 10 WordPress themes that are vulnerable to Cross-Site Scripting due to template […]
[…] A Top10-List of vulnerable themes […]
[…] Update your blogware if you host your own blog. That means, use the newest version of WordPress. Make sure your blog’s theme is up-to-date and secure as well. Don’t use these themes. […]
[…] For More Information visit http://blogsecurity.net/wordpress/article-050807/ […]
i’m still baffled by this list. it seems like horribly shoddy research on your part, and possibly libel, to suggest that these themes are vulnerable, to not do the due dilligence to find out if they’ve been updated, or to contact the authors before listing their themes.
tarski, for instance, like most themes, uses get_bloginfo(), rather than $_SERVER['PHP_SELF'].
libel? :)
There was alot of controversy about this post, and at some point i’ll release part 2.
There is really nothing "shoddy" about it. The vulnerability’s covered here are not just limited to PHP_SELF in the header.
If you’d like to start hunting down theme authors be my guest - I hate to sound careless but I have better things to do with my time and most of them are aware of this post by now.
[…] שלתבנית שאנחנו משתמשים אין חורים באבטחה| פלאגין: […]
-
Search site:
-
Additional WP Resources
