A number of WordPress themes being distributed by the developer Parallelus are vulnerable to cross-site scripting (XSS) attacks, reports said.
Themes, bits of PHP and HTML code that alter the look and functionality of sites, are usually installed via WordPress’ dashboard tool or by FTP.
According to Janne Ahlberg, a Finnish product security professional and pentester, the XSS vulnerabilities lie in the Unite, Salutation, Intersect and Traject themes. The themes cost around $30-$60 for a regular license on Themeforest.net, a WordPress theme marketplace.
WordPress, the open source blogging platform, has had a checkered history on the security front. Often, the problem lies not in WordPress but in some of the service’s fringe add-ons, such as themes. Hackers exploited a zero day in some themes last year bundled with the image resizing utility timthumb.php. This let attackers take advantage of sites and place malicious HTML to redirect to their own sites. A few other problems including a PHP code execution flaw and XSS vulnerabilities existed on WordPress’s setup page earlier this year.