News Item

More XSS Vulnerabilities Found in Wordpress Themes

By: Fahmida Rashid, PC Magazine

Several Wordpress themes have been found to host a cross-site scripting (XSS) vulnerability, according to a professional penetration tester. If you have a WordPress blog and are using one of the affected themes, you need to download the fixed themes and install them to close the XSS flaws. 

XSS vulnerabilities can be found in Unite, Salutation, Intersect, and Traject themes from Parallelus, said Janne Ahlberg, a Finnish product security professional and a penetration tester. The themes generally range between $30 and $60 and can be easily found on Themeforest.net, a theme marketplace for Wordpress environments. 

If left unpatched, attackers would be able to remotely execute JavaScript code on the site. Within a day of Ahlberg publicizing the issue, Parallelus took action, correcting all issues in the themes. Ahlberg claimed he had originally tried to send a Web form informing the developer about the issues and had gotten no response.

Read more...