Fahmida Y. Rashid writing on Security Watch has posted “More XSS Vulnerabilities Found in WordPress Themes” an article providing information on XSS vulnerabilities in WordPress themes allowing attackers to remotely execute JavaScript code on WordPress blog sites.
“Several WordPress themes have been found to host a cross-site scripting (XSS) vulnerability, according to a professional penetration tester. If you have a WordPress blog and are using one of the affected themes, you need to download the fixed themes and install them to close the XSS flaws.
XSS vulnerabilities can be found in Unite, Salutation, Intersect, and Traject themes from Parallelus, said Janne Ahlberg, a Finnish product security professional and a penetration tester. The themes generally range between $30 and $60 and can be easily found on Themeforest.net, a theme marketplace for WordPress environments.
If left unpatched, attackers would be able to remotely execute JavaScript code on the site. Within a day of Ahlberg publicizing the issue, Parallelus took action, correcting all issues in the themes. Ahlberg claimed he had originally tried to send a Web form informing the developer about the issues and had gotten no response.
Despite its popularity as a blogging platform WordPress has had its own share of security issues in recent months. About a year ago, attackers exploited timthumb.php, an image resizing utility, and various XSS vulnerabilities were identified on the blog’s setup page. ”
Read full article at: http://securitywatch.pcmag.com/none/303494-more-xss-vulnerabilities-found-in-wordpress-themes
More information on these issues at: http://threatpost.com/en_us/blogs/some-wordpress-themes-thousands-sites-open-xss-vulnerabilities-100312