I found a family of Cross-site Scripting (XSS) Vulnerabilities while checking out WordPress themes. It’s the same vulnerability, copy/pasted from one theme to its “inspired by” children.
One of my longer-overdue tasks has been to get this site off of the default WordPress theme. So I’ve slowly been checking out themes, taking notes of what I like, and kicking a few of them around on a private WP install on my laptop. Quite a few themes are fodder for XSS attacks, by way of incorrectly sanitized search pages.
Here’s how to tell if the theme you’re looking at (or using!) is vulnerable to the XSS exploit. Type this into the search box:
If you get a pop-up dialog that says ‘xss’, you’ve found a vulnerable theme. Repair the vulnerability before using the theme, or find a safer one.
To pick on one theme in particular (because it’s a nice theme, and the author hasn’t fixed the exploit or responded to my email), try this on the DePo Clean theme. Scroll to the bottom to get to the search box.
Fortunately, repairing the vulnerability is straightforward. Find and open
search.php in the editor of your choice, then replace
<?php echo $s; ?>
<?php echo strip_tags($s); ?>
This prevents a script entered via search from being echoed back to the user.
And consider sending a note to the theme’s author. Fixing a problem at the source is usually best.
And no, no new theme here yet. Working on it.