Yesterday we were made aware via the security blog Sucuri of a serious vulnerability in two popular WordPress plugins available for sale on CodeCanyon from the author ThemePunch: Revolution Slider and Showbiz Pro (WordPress).
This vulnerability allows remote attackers to access the servers of all sites using early versions of these plugins. The vulnerability exists for all versions of Revolution Slider earlier than version 4.2 (released in February 2014) and all versions of Showbiz Pro earlier than 1.5.3 (released in January 2014). The plugins were patched by their author in these releases.
These are highly popular plugins sold both directly on CodeCanyon and also indirectly through inclusion in many popular WordPress themes sold on ThemeForest. As a result, we expect numerous websites to potentially be at risk and are moving to help buyers secure their sites immediately.
What are we doing about it?
We have put together a set of steps that affected buyers can take to secure their sites. These are below. Please read them carefully.
Because the Revolution Slider plugin is so widely used in themes, we have been compiling information on these themes to understand where it’s appearing and where it’s been updated or not. We are starting to temporarily disable affected themes that haven’t been updated, contacting authors of those themes to get an update through asap. This will take a while as there are a lot of themes to manually sort through. We are also pulling together a list of everyone who has purchased one of the two plugins or a theme that included them. Showbiz Pro appears to be only packaged with a single theme (the Iguana theme). Revolution Slider appears to be used on this list of potentially affected themes (Note many of these have already been updated for the patch).
We will be contacting all buyers of affected themes directly via their Envato Market email address asap, to ensure they read and act on this information.
What do you need to do?
Given the severity of the risk and the widespread nature of exposure, we strongly urge you to check if you are affected, and follow the recommended steps immediately.
Did you purchase Revolution Slider or Showbiz Pro (WordPress) from CodeCanyon?
Check the installed versions of the Revolution Slider and/or Showbiz Pro plugins. Details on how to check your plugin are provided below.
If you have a version of Revolution Slider plugin that is 4.2 or higher, or Showbiz Pro that is 1.5.3 or higher, your plugin install has already been patched. No further action is required.
If you are using an earlier version, you need to download the plugin again (to get a more recent version), and install it immediately. You can do so by visiting the item page while logged in. You will see a notice with a download link at the top right of the page:
Go here for Revolution Slider
Go here for Showbiz Pro (WordPress)
Have you purchased a theme containing one of the plugins from ThemeForest?
> View a List of Potentially Affected Themes here
Check any themes you have purchased against the list of potentially affected themes
Check the installed versions of the Revolution Slider and/or Showbiz Pro plugins. Details on how to check your plugin are provided below.
If your installed theme uses a version of Revolution Slider plugin that is 4.2 or higher, or Showbiz Pro that is 1.5.3 or higher, then your plugin install has already been patched, and no further action is required.
If your installed theme uses an earlier version of either plugin, check the theme’s item page for updates. If an updated version of the theme containing the patched plugin is available, download and install it immediately.
If an updated version is not yet available:
Consider removing or disabling the plugin(s) temporarily
Contact Envato Support to receive a free update of the plugin(s)
Go to http://ift.tt/1xjEBoB
Click on ‘Submit a Support Request’
Select ‘Buying and General Support’ from the dropdown menu
Fill in all your details and select ‘I need help with Revolution Slider or Showbiz Pro (WordPress)‘ from the ‘Lets Gets Specific’ dropdown menu
Did you purchase a bundle or pack containing the Revolution Slider plugin, Showbiz Pro plugin and/or an affected theme?
The following bundles and packs included affected items:
Corporate Bundle
eCommerce Sampler Pack
WordPress Business Builder Pack
Digital Trends Bundle
Mobile Bundle
Plugins and themes contained within bundles and packs are not eligible for updates
If you purchased one of these bundles or packs:
Consider removing or disabling the plugin(s) temporarily
Contact Envato Support to receive a free update of the plugin(s)
Go to http://ift.tt/1xjEBoB
Click on ‘Submit a Support Request’
Select ‘Buying and General Support’ from the dropdown menu
Fill in all your details and select ‘I need help with Revolution Slider or Showbiz Pro (WordPress)‘ from the ‘Lets Gets Specific’ dropdown menu
How to Check Plugin Versions
To check whether you have the updated version of Revolution Slider or Showbiz Pro, please follow these instructions:
Log into the WordPress Admin area
Go to the plugins screen
Locate the Revolution Slider or Showbiz Pro plugin in the list
Check the version number (as shown in the screenshot).
If the version number of Revolution Slider plugin is 4.2 or higher, or Showbiz Pro is 1.5.3 or higher, you are using a version which contains the fix to the security flaw. If not, follow the instructions above to get an update and patch it immediately.
What are we doing to ensure this doesn’t happen again?
We take security seriously at Envato and are looking to revise how authors disseminate information about important updates for security or other critical issues.
In this instance the plugin’s author moved quickly to patch the plugin, and made some efforts to let their plugin buyers know of the update. Unfortunately Envato only became aware of the issue, it’s nature and severity, when the Sucuri blog post was released. Consequently information wasn’t propagated out to affected users until now.
I’d like to apologize to any affected buyers on Envato Market as we should have better processes for authors to alert us, so we can assist them to get word out faster.
We will be releasing guidelines and processes to make sure issues like this get to us faster, and to help authors make sure their buyers are updated and patched as fast as possible.
We are also going to revisit how updates are handled for bundles and themes that include separate plugins.
More Information
If you have further questions about what you need to do, please contact support.
You can read more about the vulnerability on Sucuri’s blog post.
The post Serious Vulnerability in WordPress Plugin sold via Envato Market appeared first on Market Blog.
The post Serious Vulnerability in WordPress Plugin sold via Envato Market appeared first on DICKLEUNG DESIGN 2014.
沒有留言:
張貼留言