Important security update for our WordPress themes released

We've just finished sorting out some brand new updates for our WordPress themes; along with the usual suite of minor fixes and other improvements added to our themes we've also had to update the TGM Activation Class, a PHP library created by Thomas Griffin and Gary Jones, which was recently discovered by the WordPress security team to have a XSS vulnerability that needed to be patched to ensure rock-solid security.

What went wrong?

The WordPress Codex is a vast and complex resource that can provide users new and old with in-depth information about any aspect of WordPress use and development. Naturally, something this large is going to have the occasional mistake.

Usually this won't cause too many issues, but unfortunately this time around the details of particular functions, specifically the add_query_arg() and remove_query_arg() functions, were not communicated properly and this led to confusion among many developers who believed that using these functions would "escape" user input; that is, remove any potentially unsafe characters/strings from the input. However, this was found to not be the case, and as it turns out a large number of plugins and themes had utilized these functions and thus were vulnerable to attack. In the case of our themes, one element of was found to have used these functions; our themes include the TGM Plugin Activation class which simplifies the installation of required plugins that are essential for the theme to work correctly; instead of manually hunting for the plugins they could be automatically installed and activated after theme activation using native WordPress classes, functions and interfaces, saving a lot of time and hassle in the process.

Our themes have now been updated and the vulnerability patched, but it is essential that all users should now update their theme accordingly to ensure they are running the safest version available.

If you're averse to updating (perhaps because you made a large amount of modifications to the theme without using a child theme), then we'll cover how to manually update to patch the vulnerability without losing your modifications in the next section.

Manual Update

If you want to remove this vulnerability without updating the theme package as a whole, then you will need to replace only a single file, though the details of the file will be different depending on the type of theme you are using. If you're running one of our older, GavernWP framework-based themes, then you'll need to replace the class-tgm-plugin-activation.php file, which is found in the gavern/classes/ folder of the theme. If you are using one of our newer themes that rely on the Theme Customizer without the framework, then you'll need to replace the class.tgm.php file found in the addons/ folder. The updated file that you need to replace these with may be taken from the our updated theme package (simply download and extract to access the folders), or you can get them directly from the plugin author on their site. It's also available on the related Github repository if you'd prefer to use that.

Be safe, check your other plugins

The issues this mistake has caused are far-reaching, as many plugin developers have relied on these functions and classes for their own functionality. For this reason it is strongly advised that you check for updates to each of your plugins, as most active developers will be working hard to get the fix released as soon as possible.

Bear in mind that though in our case the issue was specific to a particular class, the issue may also be present in the code for your plugin if they used one of the aforementioned functions, so simply replacing the TGM-related files may not be enough; if in doubt, contact the plugin author and they will be able to give you more accurate information. If the author of your plugin is currently inactive, try connecting with other plugin users via the WordPress Support Forums, who may be able to provide further information to help your site stay safe online.

Share
This article was first published April 28th, 2015