2 WordPress Themes in ThemeForest Found with Critical Vulnerabilities

Source: Freepik_Free Photo _ Puzzled and confused silly brunette girl looking for your help or advice, dont know what to do, shrugging with perplexed expression

WordPress Security Breach:

Serious security vulnerability was discovered in two of the most popular WordPress themes-namely, Betheme and Enfold. It is believed that hundreds of thousands of websites might be compromised by this serious security vulnerability. Both these themes were sold through Themeforest-a marketplace for WordPress themes and plugins-and together boast more than 500,000 sales.

Betheme Theme Vulnerability:

Wordfence, the security leader in WordPress, has issued an advisory over a high-severity PHP Object Injection vulnerability in the Betheme theme. The attackers with contributor-level and above can use it to execute code on the website, which results in data theft, file deletion, and finally website compromise.

The vulnerability has since been patched in the Betheme theme, with users encouraged to update to the latest version to reduce the risk. However, it must be noted that the advisory from Wordfence doesn’t point out the patch, which may mean something is wrong with the update.

Vulnerability in Enfold Theme:

The Enfold theme was also identified with a vulnerability. Luckily, it is of medium-level seriousness. There is a Stored XSS vulnerability that allows the execution of malicious code on website pages by an attacker. Although its severity rating is lower in rank, the results of such an XSS attack can be pretty hefty. User data might be compromised and phishing may occur.

Unfortunately, at this time there is no known patch released for the vulnerability in the Enfold theme. Wordfence advises users of this theme consider uninstalling it and finding a replacement until a fix is released.

Impact of the Vulnerabilities:

Critical vulnerabilities in Betheme and Enfold are fatal to the security of those websites using one of these themes. If exploited, such kinds of vulnerabilities provide hackers with unauthorized access to websites to steal sensitive information or disrupt business processes.

Security Best Practices:

With respect to keeping your WordPress website safe from such vulnerabilities, there are some security best practices that you should enact:

• Keep WordPress and plugins updated: Always keep your WordPress installation and all of your plugins up to date with the most recent versions. This ensures that security vulnerabilities are patched as they appear.
• Strong passwords: Make sure to create strong and unique passwords for your WordPress admin account, as well as any other sensitive account.
• Activate two-factor authentication: Adding an additional layer of protection through two-factor authentication can significantly reduce the risk of unauthorized access.
• Install a good security plugin: A decent security plugin protects one against common threats, from malware to hacking attempts and SQL injections.
• Back up regularly: This is crucial in ensuring that one gets the website back if something goes wrong, say, because of a security breach or loss of data.

Vulnerabilities within WordPress Themes: An Increasingly Exploited Threat

The recent discovery of critical vulnerabilities in the popular WordPress themes Betheme and Enfold brings up the growing threat posed by security flaws in these really popular templates. Inasmuch as the popularity of WordPress grows astronomically, so does the risk from malicious attacks against websites built on this platform.

Understanding WordPress Themes:

Simply put, WordPress themes are templates that outline how your website is supposed to look and the way it is laid out. These usually come by way of third-party developers who either sell or freely provide them. While it’s easy to use a theme to get your website looking professional, it might also introduce security vulnerabilities if the theme is not well-developed or maintained.

Common Types of Vulnerabilities in WordPress Themes:

• SQL Injection: This is a form of vulnerability wherein user-provided input is not sanitized or checked and is plugged into a query to the database. A hacker can perform this sort of hack to illegitimately gain access to sensitive data or even hijack control of a website.
• XSS: Cross-Site Scripting XSS is an attack that takes place where an attacker somehow successfully injects malicious code into a website, and then that code is executed by other users’ browsers. In this way, such attackers may be able to steal user data, hijack sessions, or redirect users to malicious sites.
• PHP Object Injection: This class of vulnerabilities is one in which user-supplied data becomes improperly deserialized or serialized, thereby allowing arbitrary PHP code execution. An attacker could exploit PHP Object Injection vulnerabilities to get unauthorized access to a website or to execute malicious code.
• File Inclusion Vulnerabilities: This is where the website allows it to specify a path to a file that is to be included in its content. Attackers may try to exploit file inclusions to include malicious files or sometimes read unauthorized sensitive files.

Factors Contributing to the Rise of Theme Vulnerabilities:

• Rapid Development: There is very aggressive competition among themers. Shortcuts in the development might introduce vulnerabilities to quickly provide themes. 
• Lack of Security Testing: Some theme developers do not conduct proper security testing before releasing their products into the market; thus, vulnerabilities are left undetected.
• Third-Party Plugins: Almost all the themes today depend on third-party plugins, which are very prone to vulnerabilities if not updated or configured well.
• User’s Fault: Sometimes, site owners themselves introduce vulnerabilities because of wrong configuration for themes or any plugins.

How to Minimize the Risks of Theme Vulnerabilities:

In order to keep your WordPress site safe from any kind of vulnerability, you should take a few steps as explained here:

• Keep Themes and Plugins Up-to-Date: Every time an update is available, make sure you update your theme and plugin. Updates normally address the known security issues.
• Choose Reputable Theme Developers: Security-wise, you will want to go with themes built by developers that are known for their secure and well-maintained products. Running Security Audits: Continuously carry out security audits on your WordPress website to discover and eliminate potential threats. Install a Security Plugin: Employ a dependable security plugin that may offer other security features in protecting your website against common threats.
• Educate your team: Make sure your team is educated about the risks associated with WordPress themes and how to evaluate and adjust for possible weak links in the chain. The future of WordPress theme security, in all likelihood, has only one place it will go, and that’s up.

While the main threats are WordPress theme vulnerabilities, proactive steps could be taken both by theme developers and website owners. Developers should emphasize security while developing their products, and they should test them well in advance before making releases. Website owners should be very watchful regarding updating of themes and plugins, conducting security audits, and best practices in security.

Together we can make WordPress a more secure and robust platform.

Sources:

• https://www.searchenginejournal.com/vulnerabilities-in-two-themeforest-wordpress-themes-500k-sold/525797/
• https://twitter.com/sejournal/status/1829750504529773024
• https://creativedatanetworks.com/vulnerabilities-in-two-themeforest-wordpress-themes-500k-sold-via-sejournal-martinibuster/
• https://digitaldriven.in/vulnerabilities-in-two-themeforest-wordpress-themes-500k-sold/

Subscribe to our newsletter