<div dir="ltr">Lol @Otto, you've been the source of all that as it seems :)<div><br></div><div>@Emil - yes, I know this one specifically is fixed (even in the advisory it's recommended for people to actually update to the latest release). I was just thinking about some internal process of following repositories and advisories (just as Otto said he does on a regular basis) and notify authors on this - preferably with ready security patches. We don't have any control on people running sites with these themes so we can't notify them now, but I was brainstorming out loud on different methods to point some critical security troubles or run a mailing list (to point out latest security vulns for themes) or something like this.<br>
<br>Just for the sake of the overall WP community. Some of the themes might even be part of the WordPress.com system with millions of people running them (and we don't want the same freaking scenario as the DDoS attack in March). </div>
<div><br></div><div>@Otto, I'm going to research the latest plugin vulnerability trends in the mailing lists tonight and report accordingly if there is anything still available in the repo. </div><div><br>All the best,<br clear="all">
<div dir="ltr"><br>Mario Peshev<br>Training and Consulting Services @ DevriX<div><a href="http://www.linkedin.com/in/mpeshev" target="_blank" class="vt-p">http://www.linkedin.com/in/mpeshev</a><br><a href="http://peshev.net/blog" target="_blank" class="vt-p">http://peshev.net/blog</a><br>
</div></div><br>
<br><br><div class="gmail_quote">On Sun, Oct 9, 2011 at 8:12 AM, Otto <span dir="ltr"><<a href="mailto:otto@ottodestruct.com">otto@ottodestruct.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Sat, Oct 8, 2011 at 11:45 PM, Mario Peshev <<a href="mailto:mario@peshev.net" class="vt-p">mario@peshev.net</a>> wrote:<br>
</div><div class="im">> Someone in the mailing list mentioned Atahualpa theme and I just reminded<br>
> myself about a XSS attack revealed to this theme<br>
> - <a href="https://sitewat.ch/en/Advisories/8" target="_blank" class="vt-p">https://sitewat.ch/en/Advisories/8</a> (originated from a Russian security<br>
> site - <a href="http://www.securitylab.ru/vulnerability/407851.php" target="_blank" class="vt-p">http://www.securitylab.ru/vulnerability/407851.php</a> ). There are<br>
> actually lots of other themes reported out there.<br>
> The Russian (not quite sure about the sitewat one) is the most popular site<br>
> about security I believe in Russia (I don't live there, but I follow their<br>
> sources for the past 5 years and never seen any other good source).<br>
> Therefore as expected lots of other users with a security knowledge observe<br>
> their advisories and could take advantage of some of the reports.<br>
> Is there any way to keep an eye to some top resources of vuln lists (or<br>
> create a list to review once a week) and report the authors with a standard<br>
> mail or adding some text to the /extends that the theme needs update? Since<br>
> some of the themes have tens of thousands of downloads, it could be<br>
> dangerous for most users.<br>
> It could be even an internal source for WP, but I don't know how wise is to<br>
> report WP vulnerabilities on the WP site itself.<br>
> Any comments on that?<br>
><br>
<br>
</div>Not to, you know, brag or anything, but guess who alerted the author<br>
of that theme to the XSS vulnerability in 3.6.7, and provided a fix?<br>
;)<br>
<br>
We try to be on top of it, as far as it goes. If you find any security<br>
issues with anything live on <a href="http://wordpress.org" target="_blank" class="vt-p">wordpress.org</a>, please email<br>
<a href="mailto:security@wordpress.org" class="vt-p">security@wordpress.org</a>. Many very, very smart people get those emails,<br>
and act accordingly.<br>
<br>
If you find an issue with a plugin, email <a href="mailto:plugins@wordpress.org" class="vt-p">plugins@wordpress.org</a> about<br>
it instead. That tends to be faster for the specific case of plugins,<br>
which are more numerous and have special cases.<br>
<br>
I follow *lots* of mailing lists, including many, many security<br>
related ones. Several others do too. We try our best, but we're not<br>
perfect, and sometimes we miss things, so please email the relevant<br>
addresses if there is any issue you think we didn't see.<br>
<font color="#888888"><br>
-Otto<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" class="vt-p">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank" class="vt-p">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
</div></div></blockquote></div><br></div></div>