Home Forums Weaver Xtreme Theme 3 Vulnerabilities patched in Weaver Xtreme Theme Support Plugin

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #74715
    Patti
    Participant

    I have the WordFence plugin installed on all of my sites. It’s helped keep hackers at bay without me having to code the sites myself. I received an email today that said that your Weaver Xtreme Theme Support Plugin has 3 vulnerabilities & that they could allow hackers into my site. Before I deactivate the plugin (which would potentially render my Weaver Xtreme theme inactive?) I thought I’d ask you what I should do? I am attaching a screenshot of their 3 vulnerabilities.3 Vulnerabilities of Weaver Xtreme Support Plugin

    #74716
    User
    Moderator

    @Patti

    First, please check that you have the latest versions of all plugins and WP, and let us know.

    If so, please let us have the site URL.  You may make that reply PRIVATE if you want.

    Regards!


    @Weaver

    #74717
    Private Reply
    Patti
    Participant
    This reply has been marked as private.
    #74720
    scrambler
    Moderator

    May be I am understanding that wrong, but the report below shows the vulnerability as patched

    Weaver Xtreme Theme Support (wordfence.com)

    I have wordfence and the plugin within my site does not report any issue with the Xtreme Theme support


    @weaver
    , any feedback on that?

    #74723
    Weaver
    Keymaster

    I’m surprised and disappointed with WordFence. They do a great job if finding very obscure vulnerabilities, and report them to the developer. But their guidelines to the developers indicate that if the problem is patched within a very narrow time frame, they won’t unnecessarily alarm users with what are essentially false reports.

    If you look at the report you got, you will notice that all of the reports have the “Patched” status.

    The vulnerabilities all were related to just some of the Weaver Xtreme shortcodes that allowed a site member with Contributor or higher admin privileges to enter Javascript code. So sites were always safe from visitors. And the only access is on sites with active Contributors or Authors, which is likely a tiny fraction of sites.

    But the holes have been patched, so just be sure you have the latest version of the support plugin. (It is not actually necessary for the main theme to function – the theme support plugin mostly provides some widgets, shortcodes, and the legacy admin interface.)

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.