Keep Your Themes Up To Date or Else

This last week saw lots of news in the Managed WordPress Hosting space.  One of the services FullContact Site owners enjoy is peace of mind knowing that their sites are always up to date.

Why is this important?

Just think about what happens when you site isn’t secure, if it did get exploited what would that cost you in time, money and reputation?  Because wordpress is so popular means that anyone running a WordPress powered site IS a target.   With the latest stats I saw pointing to almost 1 in 5 web sites being powered by WordPress these days, if you are managing your WordPress site correctly its just a matter of when, not if it will be attacked by hackers.

Just to give you an example here’s last weeks update from WordFence, one of the builtin WordPress plugins included with your FullContact Managed WordPress service.

We are seeing exploits in the wild appear within the last week for the following WordPress themes and plugins . If you are running any of these themes or plugins, check if there is a recent security update and install the update, or remove the item from your system if there is no security update. If you’re unsure, contact the theme/plugin developer or vendor.

  • Cubed Themes version 1.0 to 1.2. Remote file upload vulnerability. Distributed by themeprofessor.com. Exploit released on 9 November 2013.

  • Army Knife Theme, unspecified version. CSRF File Upload vulnerability. Theme is distributed by freelancewp.com. Exploit released 9 November 2013.

  • Charcoal Theme. CSRF File upload vulnerability. Distributed by the official WordPress repository. The theme hasn’t been updated for several years, so we recommend deleting all files from your system.

  • WP Realty Plugin may contain an email sender vulnerability. Please contact vendor for clarification. We’re seeing exploits that claim to exploit this hole. Plugin is distributed by wprealty.org.

  • The following themes distributed by orange-themes.com appear to contain a remote file upload vulnerability and we’re seeing exploits appear in the wild, all published around November 12, 2013: Rockstar Theme, Reganto Theme, Ray of Light Theme, Radial Theme, Oxygen Theme, Bulteno Theme, Bordeaux Theme. Please contact the vendor to find out of your theme is applicable and what action to take.

  • Amplus Theme version 3.x.x contains a CSRF file upload vulnerability. We’re unclear who the vendor is, but it appears to be Themeforest.

  • Make a Statement Theme version 1.x.x (also known as MaS ) contains a CSRF file upload vulnerability. Exploit distributed November 17, 2013. Vendor is themes.mas.gambit.ph.

  • Dimension Theme, unspecified version, contains a CSRF file upload vulnerability. Theme is distributed by ThemeForest. Exploit appeared November 17th, 2013.

  • Euclid Version 1 Theme contains a CSRF File Upload Vulnerability. Exploit appeared today. Theme is distributed by FreelanceWP.com.

  • Project 10 Theme, Version 1.0. Remote file upload vulnerability. Distributed by ThemeForest. Exploit appeared today.

Are you running any of these WordPress Themes? Do you have any of these WordPress Themes installed?

If you take a look at this theme list that it’s not just 3rd party distributed themes only that can be affected.  More than one of theme is a theme available in the WordPress Repository!

Be careful, let FullContact Managed WordPress Hosting and Support make sure that your themes are always up to date!

 

About the Author James

James Maduk is the founder of WPBlogSupport.com as well as the author of the 62 Best Selling "Secrets My Mom Never Told Me About Internet Marketing" ebooks. James also runs WPGrow.com a WordPress Campus with Courses, Workshops and Certification for WordPress Bloggers who want to Start, Build and Grow there WordPress Powered business online.

follow me on:

WordPress Blog Support