[wp-trac] [WordPress Trac] #62783: WordPress.org theme replacing custom theme of same name.
WordPress Trac
noreply at wordpress.org
Wed Jan 8 14:01:09 UTC 2025
#62783: WordPress.org theme replacing custom theme of same name.
-------------------------------+------------------------------
Reporter: mattk1980 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Themes | Version: 6.7.1
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Comment (by siliconforks):
Replying to [comment:3 mattk1980]:
> Thank you for your help here, i ended up just giving it a new name. It
made me think though, would it be possible for someone to create a theme
on wordpress.org deliberately targeting someones custom child theme name
(without the Update URI header)? In order to override their website with
malicious code?
Well, obviously, malicious code is not allowed in the theme directory, and
if someone managed to add a theme with malicious code it would presumably
be taken down pretty quickly. But yes, potentially someone could create a
malicious theme in the theme directory with the same name as an existing
theme (not available in the theme directory), and that could overwrite the
existing theme. I would recommend always using the `Update URI` header
for themes which are not in the theme directory.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62783#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list