BlogSecurity an organization that deals with web blog security recently posted a list of the top 10 WordPress themes that are vulnerable to Cross-Site Scripting due to template flaws.

1. field-of-dreams
2. tarski
3. mandigo-14,1.22
4. connections
5. default
6. freshy
7. redoable
8. k2
9. vistered-little-1.6a
10. wp-multiflex-3

Some of the themes on the list are popular WordPress themes, like freshy, k2 and redoable. I hope that the theme authors would look into this and make the necessary changes and fix the template flaws.

If you want to perform the same test for your blog or WordPress themes that you’ve created, you can use the same method used by BlogSecurity team. All you need to do is follow the installation instructions:

• Download the wp-scanner activator plugin.
• Upload the plugin file to your wp-contents/plugin folder.
• Activate the plugin from the admin panel.
• Launch the wp-scanner and perform the test.
• As soon as you’re done, de-activate the plugin so other people can’t to scan your blog.

Btw, I performed the test for JaypeeOnline and I’m happy with the result:

I strongly recommend that you also perform this test so you can find out if the WordPress theme you’re using is vulnerable or not. It would only take a few minutes of your time. If you’ve also performed the test, please share your test results or your thoughts regarding this matter. Thank you!

Oh yeah, I almost forgot. Make it a habit to download WordPress themes or plugins from reliable sources or directly from the author’s site. Better safe than sorry!

Have a good weekend everyone! :)

Anyone who’s using the Vistered Little Theme other than the latest version 1.7.3, are strongly advised to immediately upgrade due to a vulnerability that has been recently discovered.

From the author’s blog:

Wordpress Blogs using Vistered Little are being targeted by hackers. Over the last two days the number of 404s on my site increased significantly. Further investigation revealed that attempts were being made to access the following URLs to gain access to files they wouldn’t normally have access to.

It appears the skins/common.css.php is vulnerable. This file existing in that location in 1.6a and within the theme’s root directory in 1.7.0 through to 1.7.2. This file does not exist in the current version 1.7.3.

For those who can’t do the upgrade, another option would be to switch to another theme and immediately delete the Vistered Little theme folder from your wp-content/themes folder.

A little background:

Screenshot:

Vistered Little is a 2 column, fixed width, widget-ready theme from Windy Road and is one of the most popular and most downloaded WordPress themes. Vistered Little has a highly customisable glass-like interface with wallpaper and skin support. This theme makes use of the Skinner and Presentation Toolkit plugins.

Upgrade to Vistered Little 1.7.3 now!