A number of WordPress themes being distributed by the developer Parallelus are vulnerable to cross-site scripting (XSS) attacks, reports said.
Themes, bits of PHP and HTML code that alter the look and functionality of sites, are usually installed via WordPress’ dashboard tool or by FTP.
According to Janne Ahlberg, a Finnish product security professional and pentester, the XSS vulnerabilities lie in the Unite, Salutation, Intersect and Traject themes. The themes cost around $30-$60 for a regular license on Themeforest.net, a WordPress theme marketplace.
In a post on his blog, Ahlberg notes that not all of the themes and templates associated with Parallelus are vulnerable but that thousands of sites, personal and business, could be affected. Ahlberg notes that there have been almost 5,000 purchases of the Unite theme alone. The XSS vulnerability could lead to the remote execution of JavaScript if left unpatched.
WordPress, the open source blogging platform, has had a checkered history on the security front. Often, the problem lies not in WordPress but in some of the service’s fringe add-ons, such as themes. Hackers exploited a zero day in some themes last year bundled with the image resizing utility timthumb.php. This let attackers take advantage of sites and place malicious HTML to redirect to their own sites. A few other problems including a PHP code execution flaw and XSS vulnerabilities existed on WordPress’s setup page earlier this year.
