Make WordPress Core

Opened 11 months ago

Closed 11 months ago

Last modified 3 months ago

#58365 closed defect (bug) (duplicate)

A Bug in the template system

Reported by: asfarfordev's profile asfarfordev Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.2
Component: Upgrade/Install Keywords:
Focuses: administration, template Cc:

Description

HI
I think there is a serious vulnerability in the theme system in WordPress that can be used against any site.
I was developing a WordPress theme called Apex, and this morning I was surprised that all the files I developed had changed.
I searched and found that the problem is that there is a theme called Apex in the theme market: it updates automatically.
Therefore, it is possible to use this exploit by any other programmer, such as creating a theme called hespres and placing it in the store to update the theme of the hespres website if the automatic update is enabled.

Change History (2)

#1 @knutsp
11 months ago

  • Component changed from General to Upgrade/Install
  • Keywords reporter-feedback removed
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #14179.

Hello @asfarfordev and welcome to Trac.

I guess you missed the statement on top of the new ticket form "Do not report potential security vulnerabilities here."

Generally, if developing a theme, be careful when use a theme slug that in use on the repo, but prefix it to something like "asfarfordev-apex". And do not turn on automatic updates for self developed themes.

Or, better, add an "Update URI" theme header that does not point to wordpress.org

Version 0, edited 11 months ago by knutsp (next)

#2 @swissspidy
3 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.