[wp-trac] [WordPress Trac] #62783: WordPress.org theme replacing custom theme of same name.

WordPress Trac noreply at wordpress.org
Wed Jan 8 14:01:09 UTC 2025


#62783: WordPress.org theme replacing custom theme of same name.
-------------------------------+------------------------------
 Reporter:  mattk1980          |       Owner:  (none)
     Type:  defect (bug)       |      Status:  new
 Priority:  normal             |   Milestone:  Awaiting Review
Component:  Themes             |     Version:  6.7.1
 Severity:  normal             |  Resolution:
 Keywords:  reporter-feedback  |     Focuses:
-------------------------------+------------------------------

Comment (by siliconforks):

 Replying to [comment:3 mattk1980]:
 > Thank you for your help here, i ended up just giving it a new name.  It
 made me think though, would it be possible for someone to create a theme
 on wordpress.org deliberately targeting someones custom child theme name
 (without the Update URI header)? In order to override their website with
 malicious code?

 Well, obviously, malicious code is not allowed in the theme directory, and
 if someone managed to add a theme with malicious code it would presumably
 be taken down pretty quickly.  But yes, potentially someone could create a
 malicious theme in the theme directory with the same name as an existing
 theme (not available in the theme directory), and that could overwrite the
 existing theme.  I would recommend always using the `Update URI` header
 for themes which are not in the theme directory.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62783#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list