[theme-reviewers] Security of themes (just top layer)

Otto otto at ottodestruct.com
Sun Oct 9 05:12:00 UTC 2011


On Sat, Oct 8, 2011 at 11:45 PM, Mario Peshev <mario at peshev.net> wrote:
> Someone in the mailing list mentioned Atahualpa theme and I just reminded
> myself about a XSS attack revealed to this theme
>https://sitewat.ch/en/Advisories/8 (originated from a Russian security
> site - http://www.securitylab.ru/vulnerability/407851.php ). There are
> actually lots of other themes reported out there.
> The Russian (not quite sure about the sitewat one) is the most popular site
> about security I believe in Russia (I don't live there, but I follow their
> sources for the past 5 years and never seen any other good source).
> Therefore as expected lots of other users with a security knowledge observe
> their advisories and could take advantage of some of the reports.
> Is there any way to keep an eye to some top resources of vuln lists (or
> create a list to review once a week) and report the authors with a standard
> mail or adding some text to the /extends that the theme needs update? Since
> some of the themes have tens of thousands of downloads, it could be
> dangerous for most users.
> It could be even an internal source for WP, but I don't know how wise is to
> report WP vulnerabilities on the WP site itself.
> Any comments on that?
>

Not to, you know, brag or anything, but guess who alerted the author
of that theme to the XSS vulnerability in 3.6.7, and provided a fix?
;)

We try to be on top of it, as far as it goes. If you find any security
issues with anything live on wordpress.org, please email
security at wordpress.org. Many very, very smart people get those emails,
and act accordingly.

If you find an issue with a plugin, email plugins at wordpress.org about
it instead. That tends to be faster for the specific case of plugins,
which are more numerous and have special cases.

I follow *lots* of mailing lists, including many, many security
related ones. Several others do too. We try our best, but we're not
perfect, and sometimes we miss things, so please email the relevant
addresses if there is any issue you think we didn't see.

-Otto


More information about the theme-reviewers mailing list