#58365 closed defect (bug) (duplicate)
A Bug in the template system
Reported by: | asfarfordev | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 6.2 |
Component: | Upgrade/Install | Keywords: | |
Focuses: | administration, template | Cc: |
Description
HI
I think there is a serious vulnerability in the theme system in WordPress that can be used against any site.
I was developing a WordPress theme called Apex, and this morning I was surprised that all the files I developed had changed.
I searched and found that the problem is that there is a theme called Apex in the theme market: it updates automatically.
Therefore, it is possible to use this exploit by any other programmer, such as creating a theme called hespres and placing it in the store to update the theme of the hespres website if the automatic update is enabled.
Change History (2)
Note: See
TracTickets for help on using
tickets.
Duplicate of #14179.
Hello @asfarfordev and welcome to Trac.
I guess you missed the statement on top of the new ticket form "Do not report potential security vulnerabilities here."
Generally, if developing a theme, be careful when use a theme slug that in use on the repo, but prefix it to something like "asfarfordev-apex". And do not turn on automatic updates for self developed themes.
Or, better, add an "Update URI" (https://make.wordpress.org/core/2022/10/06/introducing-update-uri-theme-header-in-wordpress-6-1/) theme header that does not point to wordpress.org