WordPress Legend
If you know of specific (or general) Theme exploits, especially for WPORG repository-hosted Themes, please contact me directly, or Otto. One of us will make sure the information gets to the appropriate people, and that the situation is handled in a timely manner.Originally Posted by wycks
WP TurnKey - Turn-Key WordPress installation and maintenance services
WordPress user since 2005 | @chip_bennett | chipbennett.net | cbnet Plugins
WordPress Legend
Ohhhh! Nice site! I like it a lot :)
Are you interested in handling security reports to plugin authors? I'm quite slack at reporting plugin problems to authors, and when I do, I rarely remember to follow up to ensure that they do actually fix the issues (scarily those I have checked usually don't). If you are happy to handle that side of things yourself, I'll happily forward plugin names to you as I find issues with them.
I'll PM a couple of links to you for very popular plugins with security holes in them to add to your list. They've both been reported to the plugin repository and/or the developer and not been acted on.
Hello World
Themes that are hosted on wp.org have gone through the theme review folks
Ya just wanted to add, I only list stuff from wordpress.org, it wouldn't make much sense to include plugins and themes from the "wild", aka google search:)
As for themes I have seen a few, for instance recently there was a major issue with timthumb.php that effected many themes ( probably 50+), I know woothemes went and fixed many of their themes, but checking all themes for timthumb versions doesn't seem like something anyone would want to do.
Generally speaking themes go untested amongst the security community compared to plugins and the theme review team seems to weed out a lot, the problem is that people get their themes from all over the place but plugins generally come from .org.
Sure, I will go though the semi-official channels and typically give 2-3 weeks for a fix before publishing any issues.Are you interested in handling security reports to plugin authors
My goal with the site is to educate and also dispel some of the myths related to wp/security.
WordPress Legend
We do our best, but thorough security review is still fairly new for most of us. If we miss anything - either something specific in a specific Theme, or something in general for which we don't check - please let us know!
(For general security issues, feel free to email the theme-reviewers mail list. For specific vulnerabilities in specific Themes, please contact me or any other WPTRT member, or Otto, directly.)
WP TurnKey - Turn-Key WordPress installation and maintenance services
WordPress user since 2005 | @chip_bennett | chipbennett.net | cbnet Plugins
WordPress Legend
This is one of the reasons that TimThumb is all but prohibited now for repository-hosted Themes. The primary reason is that 99% of the functionality can be handled by core Post Thumbnail functionality (or core PHP functionality, for the image filtering); but the secondary reason is that older versions have known security issues, and it is too difficult to try to stay on top of development of such third-party code.
WP TurnKey - Turn-Key WordPress installation and maintenance services
WordPress user since 2005 | @chip_bennett | chipbennett.net | cbnet Plugins
WordPress Legend
Aaandd, the security flaw in the "plugin which shall not be named" is STILL present. I'm getting in contact with Otto again to find out what the deal is.
WordPress Legend
I wonder if the commercial version still has the security flaw?
WP TurnKey - Turn-Key WordPress installation and maintenance services
WordPress user since 2005 | @chip_bennett | chipbennett.net | cbnet Plugins
WordPress Legend
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote