Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #260875

    Hi

    My ticket was closed but I have an update from the plugin support.

    VaultPress, the plugin causing the issue, has responded as follows:

    ….that error message does come from VaultPress. It’s part of a hotfix for a security threat in this file (part of the Abundance theme): themes/abundance/framework/php/avia_shortcodes/preview-shortcode-external.php

    VaultPress includes that hotfix to help protect your site against the issue mentioned here: http://www.woothemes.com/2012/04/framework-shortcode-exploit-has-been-fixed/

    I’d recommend getting in touch with the Abundance theme author so they can address the security issue on their end.

    Can you please help resolve this issue with the theme.

    Thanks
    Lyse

    #260877

    Hi tremblayly!

    Thanks for sharing! I will let Kriesi know about it

    Regards,
    Yigit

    #260884

    Hey!

    Other than WooCommerce we have protected the file with a check if the user generating the shortcode is logged in and can edit files, so there should be no way for anyone other than an admin( who already can edit the whole theme) to use the file. I am not sure how VaultPress determines which file to block (probably based on file name, since the theme uses the same basic shortcode framework that woocommerce used) but I dont think that there is a problem here. However if they got any additional information on the topic I will gladly put it to good use in case they contact me or the info is passed along somehow :)

    Cheers!
    Kriesi

    #261368
    This reply has been marked as private.
    #261526

    Hey!

    Although I consider it extremely unlikely that it is possible to do something malicious here I have released another small update that adds a another check as well. Should be available within the next hour

    Regards,
    Kriesi

    • This reply was modified 2 months, 3 weeks ago by  Kriesi.
    #262786

    Hi Kriesi

    What do I need to do or when is the upgrade available?

    Lyse

    #263123

    Hi!

    I’ll ask Kriesi if the patch has been uploaded on themeforest. All you need to do is download the latest version from your themeforest account then update the theme via FTP. Please refer to this link for more info: http://www.kriesi.at/documentation/enfold/updating-your-theme-files/

    Regards,
    Ismael

    #263207

    Hey!
    Yes its already available ;)
    Best regards,
    Kriesi

    #263296

    Hi
    I upgraded to the latest version this morning and my security error is back when I try to insert QUOTE, INFO BOX, etc…
    Lyse

    #263810

    Hey!

    Did you report the update to VaultPress? We added a nonce to the ajax request and their detection of CSRF attacks might be outdated now.

    Regards,
    Peter

    #266048

    Hi!

    I am closing this now, since I dont think that we can do any more right now. If you get any feedback feel free to use the contact form at http://www.kriesi.at/contact to send me the infos :)
    Regards,
    Kriesi

Viewing 11 posts - 1 through 11 (of 11 total)

The topic ‘Shortcodes – security issue’ is closed to new replies.