May 6, 2014 at 6:07 pm #260875
My ticket was closed but I have an update from the plugin support.
VaultPress, the plugin causing the issue, has responded as follows:
….that error message does come from VaultPress. It’s part of a hotfix for a security threat in this file (part of the Abundance theme): themes/abundance/framework/php/avia_shortcodes/preview-shortcode-external.php
VaultPress includes that hotfix to help protect your site against the issue mentioned here: http://www.woothemes.com/2012/04/framework-shortcode-exploit-has-been-fixed/
I’d recommend getting in touch with the Abundance theme author so they can address the security issue on their end.
Can you please help resolve this issue with the theme.
LyseMay 6, 2014 at 6:09 pm #260877May 6, 2014 at 6:25 pm #260884
Other than WooCommerce we have protected the file with a check if the user generating the shortcode is logged in and can edit files, so there should be no way for anyone other than an admin( who already can edit the whole theme) to use the file. I am not sure how VaultPress determines which file to block (probably based on file name, since the theme uses the same basic shortcode framework that woocommerce used) but I dont think that there is a problem here. However if they got any additional information on the topic I will gladly put it to good use in case they contact me or the info is passed along somehow :)
KriesiMay 7, 2014 at 4:38 pm #261368May 7, 2014 at 10:53 pm #261526
Although I consider it extremely unlikely that it is possible to do something malicious here I have released another small update that adds a another check as well. Should be available within the next hour
May 10, 2014 at 4:35 pm #262786May 12, 2014 at 5:25 am #263123
- This reply was modified 6 months, 3 weeks ago by Kriesi.
I’ll ask Kriesi if the patch has been uploaded on themeforest. All you need to do is download the latest version from your themeforest account then update the theme via FTP. Please refer to this link for more info: http://www.kriesi.at/documentation/enfold/updating-your-theme-files/
IsmaelMay 12, 2014 at 9:47 am #263207May 12, 2014 at 3:16 pm #263296
I upgraded to the latest version this morning and my security error is back when I try to insert QUOTE, INFO BOX, etc…
LyseMay 13, 2014 at 9:29 am #263810
Did you report the update to VaultPress? We added a nonce to the ajax request and their detection of CSRF attacks might be outdated now.
PeterMay 17, 2014 at 1:23 am #266048
The topic ‘Shortcodes – security issue’ is closed to new replies.