[magnus]

I thank you very much for the information. I was a little worried when it was quiet from you, but now I can relax a little.

I wish you all at Cryout Creations a nice weekend.

[Zed]

Hi everyone and sorry about the delay with a clarification.

As the warning message displayed by the security plugin itself reads,
this makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages

Due to sub-optimal/missing sanitization to the get_the_author() calls used by the theme, this issue can affect (larger) websites if rogue registered users (contributor/editor levels and above are needed) decide to insert unwanted content in their user name fields.

 

Personally, I find it weird that it’s the theme’s responsibility for sanitizing this data since it’s a core WordPress function returning database-stored content. If that field is not expected to store advanced HTML markup then WordPress should perform the proper level of sanitization/filtering on save.

To be clear, the theme does not handle any saving or input processing for this data, it only displays whatever WordPress already has saved in the database for the user name field, which has passed WordPress existing sanitization rules when that data was saved through the dashboard by users with sufficient permissions on the site.

 

This code has been in our themes in the same or very similar form since their launch (starting with Mantra back in 2009) and we have yet to have any kind of reports about XSS exploits through this route – frankly, if a rogue registered user with sufficient access decides to embed bad content on the site, the user name field is the least of your worries (and most likely not the first target).

This is only now popping up now because a security tester bulk reported the insufficient sanitization to patchstack.com (a large vulnerabilities testing/disclosing database which also offers paid security services), and several security plugins are taking inspiration for their lists of things to monitor from there.

 

Regardless of circumstances, we’ll be hardening the sanitization around the several get_the_author() function calls used in our themes, but since this issue is considered low severity/priority even by the patchstack.com report, we’ll be addressing it in the regular¹ theme updates cycle as we get to them¹ – for example, the correction is already present in the Bravada 1.1.3 update released yesterday.

¹ Mr. Kay had a different plan so you may already notice updates out there addressing this.

 

Status update: As of January 24th 2025, all our themes received updates to harden sanitization on author name output function calls.

 

PS: I’ve split this topic from the original post as that one was about mixed http/https content in the page, which is a different matter.

• This reply was modified 7 months ago by Zed. Reason: updated for updates status
• This reply was modified 3 months ago by Zed. Reason: status update

---

If you like our creations, help us share by rating them on WordPress.org.
Please check the available documentation and search the forums before starting a topic.

[magnus]

I am also concerned about the complete silence from Cryout Creatrions.

This message appeared on several of my web pages several weeks ago:

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API to create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.

I have been using the Tempera theme for about 10 years and one of my web pages is really big with over 1000 posts and almost 1000 pages and there is about 33000 images. So it would be a realy big job to change the theme.

Website: www.hojresor.se

[bedard5115]

More information. Please let me know if there’s a fix. Jetpack’s fix is to remove the mantra plug-in.

Themes Vulnerabilities
Mantra <= 3.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Mantra theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Themes
mantra
No known fix
References
CVE
CVE-2024-44056
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ced6450a-7d5a-4091-8181-98c005e74346
Classification
Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)
Miscellaneous
Original Researcher
stealthcopter
Verified
No
WPVDB ID
bf10fd17-849d-404a-8da4-ad633e048c24
Timeline
Publicly Published
2024-08-29 (about 9 days ago)
Added
2024-09-05 (about 1 days ago)
Last Updated
2024-09-05 (about 1 days ago)

[bassicsax]

FYI, I did get a reply from Kay to my Priority Support request. (I should mention it came in a day after I sent the request, I just didn’t see it.) It reads:

Thanks a lot for the info, we’re in the processing of addressing that for a future theme update.
Thanks again and have a great day!

If we can helping you further, please reply to this email or create a new ticket.
Kay, Cryout Creations

OK, so this gives me reason to hope. I have to say, the Bravada theme and Plus themes I use have been updated over the last 6 or so months.

I am guessing CC had some personnel reductions? IDK, but at least we have reasons to be optimistic, b/c like so many of you, I am not a developer. I just have my own sites, and those of clients. If I did have to switch, I couldn’t pass that cost on in a way that would truly off-set the time I would have to spend on such an enormous job.

• This reply was modified 7 months ago by bassicsax.

[Rocky Trifari]

Agreed, we have been left with very little choice. In my case, thankfully, I am not yet encountering any errors or incompatibilities with my theme (at least, nothing major that I can’t work around) which is pretty wild considering it has been OVER 2 YEARS since the last update. At this point, my main concern is keeping up with security patches and code best practices, areas where all of us are objectively falling behind by continuing to use code that’s not being monitored or updated.

I suppose it would be smart for us to get ahead of some catastrophic failure by beginning to look elsewhere or in my case, potentially find someone to hire to help reconstruct everything.

[Rocky Trifari]

Hi, I do not believe these forums are still being checked, unfortunately. I would not anticipate any updates, at least… anytime soon, if ever.

[lynnvr]

Aha, I am glad I am not the only one having troubles. Unfortunately, I am not a developer, only manage a few sites (free) for clubs/associations of which I am a member and for myself. Since the latest php and wordpress updates, I have been having problems with plug ins that have always worked (ninja forms, Stripe payments in Events manager, etc.). Their managers say it is not a problem with the plugin, probably with my theme (parabola) compatibility. What to do if no replies? Sigh…

Website: www.sterrenwacht-gv.nl

• This reply was modified 7 months ago by lynnvr.

[magnus]

I got this message for several days now. What should I do about it?

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API to create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.

[xofmedia]

I’m not sure how old this problem is but I filed a couple support tickets and haven’t heard back. I’m running Fluida Plus now but this problem is also on Septera Plus for other sites I use the themes for.

I found this previous post:
https://www.cryoutcreations.eu/forums/t/comment-counter-on-blog-page

This seems to confirm Cryout Creations are aware of the issue in August 2023, but it’s now 2024 and no fix… Is support dropping?

I used this fix by just adding some css (style.css):

/* Removes itemprop=”discussionURL” */
.comments-link {
visibility: hidden;
}

This seems to remove the problem areas for me while leaving the comments themselves on and the comments count in place for thumbnails (ie: related posts). Temporary fix I’m hoping.

Website: xofmedia.com

[tdbask]

How can I add this functionality to the Tempera theme?

“In Bravada 1.0.7.1 we’ve adjusted this functionality slightly to limit the previous/next post links from the same (main) category (if it exists) as the post being viewed.”

[Elke Wetzig]

Hi, I don’t think simple hrefs can cause these warnings. The mixed contend in your websites seem to be caused by your cookie and/or chat plugin:

http://3modx.org.uk/wp-content/plugins/cookie-law-info/lite/frontend/images/revisit.svg
http://3modx.org.uk/wp-content/plugins/cookie-law-info/lite/frontend/images/close.svg
http://agilecrm.s3.amazonaws.com/livechat/assets/whatsup-chat.png.

Some browsers might block the external unecure sources right away (chat), or you see your site only with non-visible cookie bar/cookies set, that might influence the different browser behaviour.

[Celtic-Raven]

Very cool theme, but recently received a critical alert from Google Search Console that there is a missing ‘author’ field. This seems to apply to the Comments on a post, not the actual post. There is author information displayed for the original post and the comments/discussion, but Google does not recognise this. Also have an advisory warning that ‘Comment’ object must be nested inside a ‘CreativeWork’ object.

[lynnvr]

I an only a hobby user and not a programmer so cannot help you unfortunately but I have had a similar problem in Parabola for a couple of weeks now. I too have been happily using Parabola for our astronomy club’s website for eons and until recently, it has worked fine on all platforms. The desktop version is fine, responsiveness and zoom are enabled as they have been for years. Now, in mobile, our main/presentation page is dropping the third column. On normal pages with a right sidebar, the main content has been radically shortened in width, not readable and lots of white space right, while the sidebar content, which is now displayed below the white space, looks normal. I have touched nothing that I can think of to cause this.

I have tried disabling plugins (and no new plug ins have been added recently/ since it was working) but so far that has not helped either, so I don’t think that is the problem. Our hosting provider has recently updated everyone to a new version of wordpress and new php version – so I am guessing that is what the problem is, especially in light of your post. I have sent in a support request but no answer as yet (it has only been hours – not complaining). To be continued…

Website: www.sterrenwacht-gv.nl

[Cireme]

Bonjour quelle est la taille exacte pour l’image de fond d’écran de l’en tête Bravada?
car a chaque fois que je téléverse une image soit elle est trop petite et du coup la vidéo d’en tête de ma page d’accueil ne fait plus toute la largeur
soit l’image que je téléverse est trop grande et du coup l’image est tronquée

car je souhaite une vidéo en arrière plan de l’en tête de ma page d’accueil
et les autres pages une image
merci d’avance

voici le site en question : http://www.festivalcinemaenliberte.com/
sur la page d’accueil la vidéo ce met bien comme je veux

Pa contre par exemple sur cette page : https://www.festivalcinemaenliberte.com/index.php/2024/05/24/selection-officielle-2/
l’image de fond de l’en tête est rogner

merci d’avance

Hello, what is the exact size of the background image for the Bravada header?
because every time I upload an image either it’s too small and so the header video on my home page is no longer the full width
or the image I’m uploading is too large, so the image is truncated

because I want a video in the background of my home page header
and the other pages an image
thanks in advance

this is the site in question: http://www.festivalcinemaenliberte.com/
on the home page, the video is displayed as I want it to be

For example, on this page: https://www.festivalcinemaenliberte.com/index.php/2024/05/24/selection-officielle-2/
the header background image is cropped

thanks in advance

Translated with DeepL.com (free version)

[merrakyl]

Hello,

I’m having an issue on Mobile with the hamburger menu.

If I were to have three drop down menu parents in the order A, B and C…

I can open menu parent C and see its contents. I may then want to open the menu parent B which is above C, this will automatically close menu parent C to the open B, which is great. This works for anything above the current open parent item.

However, if I start with a higher parent such as A or B and then try to open one below it such as parent C, I don’t receive the same result. Instead, the current menu will close, the new menu will then open but close straight away. Sometimes clicking on a link below the menu.

I’ve removed all custom css before writing this and I get the same result. I have tried this using the dev tools on edge and chrome (with mobile view) and chrome and safari on an iphone.

Is this a known issue with a particular version of the theme or wordpress?

I can replicate the issue on https://demos.cryoutcreations.eu/wordpress/parabola/no-sidebar when toggling between the ‘Page Layouts’ and ‘Dropdown Menus’ parent items. But I can’t replicate the issue on the menus within the ‘Dropdown Menus’ menu.

[Surfile]

Hello,
I use Septera for a website. I just tried to use a logo. But on the landing page, the header-area behind the main menu and logo are transparent. Since the full-screen photo on my landing page has a dark background and the logo is black, it disappears on that page.
Is it possible to always have this background white, also on the landing page? I think this is the standard setting on the Fluida Theme, so do I have to switch to Fluida or is it possible to do this in Septera too?
Thank you!
Hervé

[Shinteetah]

I’m trying to use a sitewide notification, and several plugins can display beautifully on desktop but not on mobile. I thought perhaps Parabola (which I’ve been using for eons, bought way back) was too old to handle the hook so I tried Bravada, but it did not display on mobile either. However Twenty Twenty Four displays the message on mobile, so it’s not an issue of faulty plugins. Can anyone help me to get this visible on mobile? Thanks!

[stevesb]

Hi, I have the SEPTERA THEME V1.5.1. I have the menu with I created with Elementor, Block Editor, & Classic Editor. The pc desktop version menu tabs look correct. The preview of the mobile version looks correct with the hamburger (three lines) drop down. However, when I bring up the website on my Android phone, the hamburger is missing and there is a big “X” covering it. It’s on all pages on my cell phone, so don’t think it’s a plug in issue. Is there a way I can fix this, so it will show the hamburger button on the cell phone? Thanks!!

[stevesb]

I have Septera Version: 1.5.1. I used Elementor and Block Builder for my main page. On desktop or mobile live version 1) the header image is correct, but used to be a light blue color overlay over it. Now, it is in black and white. 2) The site title is now at the top of the page above the header and pushes the menu over to the right. 3) The “San Diego Mobile Notary” & “Mobile Notary Public Serving San Diego Businesses and the Public” has white font as programmed, but now that the image background is in black and white, I cannot see the wording on the live site. 4) The “The San Diego Mobile Notary” below the header image is cut off so only three quarters of the word is showing. Everything else on the first page seems correct. How can this be fixed when all the previews of the page look correct, but once live is incorrect? My SETTINGS: In WordPress Customize/Site Identity/Header Media, the header and menu looks correct: https://thesandiegomobilenotary.com/wp-admin/customize.php?return=%2Fwp-admin%2Fnav-menus.php&autofocus%5Bcontrol%5D=header_image. In Customizing ▸ Colors/Content, the overlay is correct. In Elementor,the Site Settings/Global Color/System Colors/Primary is correct. In site settings/settings background, background type is set to classic. Also, Global Colors/Primary is correct. In site settings/Background color, when I click on the little world, primary global color is correct for the desktop version. The mobile browser background is correct, too. The site title, Mobile Notary San Diego|Notary Public for the People, appears correct and is below the header under The San Diego Mobile Notary. Thanks for any Help?

[Shadowz]

Since WordPress has upgraded to 6.5 I believe I am getting an error on the theme.
It has something to do with /js/jquery/jquery-migrate.min.js, and themes/parabola/js/frontend.js?m=1691558905&cb=1
So I was wondering if an update would becoming the future.

[JCollet]

Hello, I hope someone can help me, my site is not responsive. I use Nirvana Child Theme and the plugin Custom Sidebars. And on the mobile view (smaller than800px) the sidebars should move at the end, but this doesn’t work.
Thanks for your reactions.

[Zazoult]

Hello I discover your theme today and I begin with it, I’m french and I would like to knwow something, It’s a site of my friend who sell handmade toy

In the free version in bravada is it possible to make the slogan in right, and how to change the color of the title in the midle, actually there are two colors

Thank you

[Ananas]

1. I am trying to set up a site for a club. The mobile version is not working: The site identity text meant to be on the header background will on mobile overlap/overlay the page titles/headings which show across the slider/banner image. There it shows the text as double overlay piled onto each other, not readable.

2. Also on tablet/iPad version the menu in dark text moves down from the light heading area to overlay the dark banner image, becoming unreadable. It would be better to have a burger menu for tablet view. Is this possible?

[WatchnCow]

Hello!

Yes, I know, there is a lot of topic about this famous video in the bravada’s theme header. But I don’t understand how to display it. I went in appearance/header and tried to upload differents videos, to put different link and to unlink the background image I had but unfortunetaly, nothing worked.

Your help would be very welcome!

Thank you
Dams

[ryanjenson90]

Hi everyone, I’ve encountered similar issues with emojis not rendering correctly in animations. One workaround I’ve found is to use HTML entities for the emojis instead of the actual emoji characters. For example, you can replace the heart emoji with ❤ in your title. It’s not a perfect solution, but it might help as a temporary fix until the bug in the animation tool is resolved. Hope this helps!

[Kevin]

Hi,

I would like to submit a feature request for bravada. It would be great, if we could add some own css classes to the CTA buttons. I am currently doing this, by editing the template respective by working with a child template and a modified landing-page.php

So maybe you could implement two more fields in the customiser for adding the classes to the CTA buttons.

Best regards

[kitmancraig]

I have paid for a subscription and submitted a Support Ticket 6 days ago and nobody has replied. It seems there is no way to get hold of anyone here.

---

[welder7]

Thanks for the update, had the same issue on client website..
BTW which CSS plugin do You use.. I ask You this because CSS keeps reverting back to old settings whenever there are updates…?

Website: joss.si

[mayernissim]

Recently all the headings (h1, h2, h3, h4 etc) on the site seem to be underlined, and my client is pretty sure they weren’t before (could this have happened in a recent update).

I’ve tried to remove them using Additional CSS (both with and without !important) and it’s not worked.

/* Remove text decoration from all headers with !important */
h1, h2, h3, h4, h5, h6 {
text-decoration: none !important;
}

Any ideas how to fix this?

Thank you in advance!