-
AuthorPosts
-
September 7th, 2024 at 06:21 #148795
Jetpack just returned a security warning tonight on Mantra 3.3.2.
These items require your immediate attention
The theme mantra (version 3.3.2) has a publicly known vulnerability.1h ago
Fix threat
Vulnerability found in themeSeptember 7th, 2024 at 06:30 #148796More information. Please let me know if there’s a fix. Jetpack’s fix is to remove the mantra plug-in.
Themes Vulnerabilities
Mantra <= 3.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Mantra theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Affects Themes
mantra
No known fix
References
CVE
CVE-2024-44056
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ced6450a-7d5a-4091-8181-98c005e74346
Classification
Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)
Miscellaneous
Original Researcher
stealthcopter
Verified
No
WPVDB ID
bf10fd17-849d-404a-8da4-ad633e048c24
Timeline
Publicly Published
2024-08-29 (about 9 days ago)
Added
2024-09-05 (about 1 days ago)
Last Updated
2024-09-05 (about 1 days ago)September 7th, 2024 at 20:45 #148801magnusPower UserI am also concerned about the complete silence from Cryout Creatrions.
This message appeared on several of my web pages several weeks ago:
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API to create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.
I have been using the Tempera theme for about 10 years and one of my web pages is really big with over 1000 posts and almost 1000 pages and there is about 33000 images. So it would be a realy big job to change the theme.
Website: www.hojresor.se
September 10th, 2024 at 23:59 #148865I am getting this error from Jetpack ,and have now started to look for a new themes to use on my blogs. I used the “Free” themes, and well this isn’t good when the owners don’t answer anything.
Jetpack Protect detected the following security threats in your site:
Parabola <= 2.4.1 – Authenticated (Contributor+) Stored Cross-Site ScriptingJetpack Protect detected the following security threats in your site:
Nirvana <= 1.6.3 – Authenticated (Contributor+) Stored Cross-Site ScriptingSeptember 11th, 2024 at 10:28 #148866magnusPower UserI don’t use Jetpack but I get the warnings anyway.
Website: www.gestrikeantennservice.com
September 13th, 2024 at 16:54 #148903ZedCryout Creations mastermindHi everyone and sorry about the delay with a clarification.
As the warning message displayed by the security plugin itself reads,
this makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pagesDue to sub-optimal/missing sanitization to the get_the_author() calls used by the theme, this issue can affect (larger) websites if rogue registered users (contributor/editor levels and above are needed) decide to insert unwanted content in their user name fields.
Personally, I find it weird that it’s the theme’s responsibility for sanitizing this data since it’s a core WordPress function returning database-stored content. If that field is not expected to store advanced HTML markup then WordPress should perform the proper level of sanitization/filtering on save.
To be clear, the theme does not handle any saving or input processing for this data, it only displays whatever WordPress already has saved in the database for the user name field, which has passed WordPress existing sanitization rules when that data was saved through the dashboard by users with sufficient permissions on the site.
This code has been in our themes in the same or very similar form since their launch (starting with Mantra back in 2009) and we have yet to have any kind of reports about XSS exploits through this route – frankly, if a rogue registered user with sufficient access decides to embed bad content on the site, the user name field is the least of your worries (and most likely not the first target).
This is only now popping up now because a security tester bulk reported the insufficient sanitization to patchstack.com (a large vulnerabilities testing/disclosing database which also offers paid security services), and several security plugins are taking inspiration for their lists of things to monitor from there.
Regardless of circumstances, we’ll be hardening the sanitization around the several get_the_author() function calls used in our themes, but since this issue is considered low severity/priority even by the patchstack.com report, we’ll be addressing it in the
regular1 theme updates cycleas we get to them1 – for example, the correction is already present in the Bravada 1.1.3 update released yesterday.1 Mr. Kay had a different plan so you may already notice updates out there addressing this.
PS: I’ve split this topic from the original post as that one was about mixed http/https content in the page, which is a different matter.
- This reply was modified 3 months ago by Zed. Reason: updated for updates status
If you like our creations, help us share by rating them on WordPress.org.
Please check the available documentation and search the forums before starting a topic.September 13th, 2024 at 17:44 #148906magnusPower UserI thank you very much for the information. I was a little worried when it was quiet from you, but now I can relax a little.
I wish you all at Cryout Creations a nice weekend.
September 13th, 2024 at 18:08 #148911bassicsaxPower UserThank you Zed!
October 1st, 2024 at 20:19 #149295Tengo el tema PARABOLA en dos sites. Aparecen como vulnerables y no hay actualización. Me sugieren que lo delete. Es obvio que no quiero cambiar de tema. Cual es la solución?
I have the PARABOLA theme on two sites. They appear as vulnerable and there is no update. I am suggested to delete it. Obviously I don’t want to change the theme. What is the solution?
Website: celpebrasnapratica.com
November 25th, 2024 at 22:37 #150229Addressing XSS Vulnerability Reported by WordFence/Jetpack
I recently received a notification from WordFence (or Jetpack) regarding a potential XSS (Cross-Site Scripting) vulnerability affecting my WordPress site. The alert mentioned that the vulnerability might be related to a plugin or theme in use. I’m currently using one of your themes ([Theme Name]) alongside a few other plugins. check this my issueWebsite: fluxusteamexecutor.com
December 12th, 2024 at 05:58 #150538It’s concerning to hear about the Split XSS vulnerability reported by Wordfence and Jetpack. Keeping plugins and themes up to date is crucial in protecting our sites from security risks. Have there been any recommended fixes or updates from Cryout Creations to address this vulnerability? Additionally, for those running affected versions, are there any interim solutions to mitigate the risk until an official patch is released? check this play way results todayplay way results today
Website: nlcblottoresult.com
December 12th, 2024 at 11:42 #150539This reply is private.December 12th, 2024 at 11:43 #150541magnusPower UserMaybe Cryout Creations are not doing anything about this XSS vulnerability because they want us to change to a newer theme.
But that’s not going to work, because they are going to get less new customers when they are not taking care of the old ones.
Website: www.hojresor.se
December 12th, 2024 at 15:37 #150548I agree with you. I feel let down.
Website: celpebrasnapratica.com
December 12th, 2024 at 19:12 #150550bassicsaxPower UserI am not sure what errors you folks are all getting. I use Cryout Creations in all the websites that I’ve created for clients, as well as myself. I use a variety of themes, some Plus, some Free, ranging from Bravada to Septera.
Although I too was getting error codes a few months ago, those long ago have vanished. I no longer get them in either Jetpack or Wordfence.
Just last week I updated everyone’s sites to the latest version of WP (6.2) and all their plugins. No error codes appear.
I would be lying if I didn’t acknowledge that I have been frustrated with the tech response in the past by CC. That said, in the end they have come through, and did reply and sent out the patches, or told me how to fix what needed to be fixed.
I appreciate the hard work the Zed and the team at CC have done on their themes and plugins. They are functional, and quite user friendly.
Website: bassic-sax.info/version5
- This reply was modified 1 week ago by bassicsax.
December 12th, 2024 at 20:22 #150553The problem I am having is as a PARABOLA theme.
O problema que estou tendo é com o tema PARABOLA.Website: celpebrasnapratica.com
-
AuthorPosts
You need to log in to reply to this topic.