Top 10 Vulnerable WP Themes


BlogSecurity an organization that deals with web blog security recently posted a list of the top 10 WordPress themes that are vulnerable to Cross-Site Scripting due to template flaws.

1. field-of-dreams
2. tarski
3. mandigo-14,1.22
4. connections
5. default
6. freshy
7. redoable
8. k2
9. vistered-little-1.6a
10. wp-multiflex-3

Some of the themes on the list are popular WordPress themes, like freshy, k2 and redoable. I hope that the theme authors would look into this and make the necessary changes and fix the template flaws.

If you want to perform the same test for your blog or WordPress themes that you’ve created, you can use the same method used by BlogSecurity team. All you need to do is follow the installation instructions:

  • Download the wp-scanner activator plugin.
  • Upload the plugin file to your wp-contents/plugin folder.
  • Activate the plugin from the admin panel.
  • Launch the wp-scanner and perform the test.
  • As soon as you’re done, de-activate the plugin so other people can’t to scan your blog.

Btw, I performed the test for JaypeeOnline and I’m happy with the result:

WP Scanner Result for JaypeeOnline

I strongly recommend that you also perform this test so you can find out if the WordPress theme you’re using is vulnerable or not. It would only take a few minutes of your time. If you’ve also performed the test, please share your test results or your thoughts regarding this matter. Thank you!

Oh yeah, I almost forgot. Make it a habit to download WordPress themes or plugins from reliable sources or directly from the author’s site. Better safe than sorry!

Have a good weekend everyone! :)

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Google+, Facebook or Twitter.

10 Comments

  1. JP Habaradas

    August 12, 2007 at 6:51 AM

    @jhay – That’s good. This is cool because now we can use this plugin to test a theme before using it on our blog, right? Thanks! :)

  2. jhay

    August 12, 2007 at 5:13 AM

    Whew, it’s a good thing my theme checked out fine.

    Quite a nifty plugin you found dude.

  3. JP Habaradas

    August 11, 2007 at 10:30 PM

    @iskoo – Thanks! Let me know what you got in your results, ok? :)

  4. iskoo

    August 11, 2007 at 10:06 PM

    good info, i check mine..

  5. JP Habaradas

    August 11, 2007 at 8:00 AM

    @benj – What happened? Do you have a screenshot? Let me know if you’re still experiencing the problem and I’ll try to help you out.

  6. benj

    August 11, 2007 at 7:43 AM

    Ok, my site just got messed up with Firefox. I wasn’t doing anything! It still works fine with IE and Opera though. Halp! :cry:

  7. JP Habaradas

    August 11, 2007 at 5:30 AM

    @Manila Freelancer – You’re welcome! Care to share your test results? :)

  8. Manila Freelancer

    August 11, 2007 at 5:04 AM

    Ill check my themes vulnerability later on… thanks for the tip

  9. JP Habaradas

    August 10, 2007 at 8:40 PM

    @K – It doesn’t matter where themes are hosted coz it’s involves the template codes and stuff. As long as you use one of the those themes listed and as long as the authors don’t fix it, they’d remain vulnerable.

  10. K

    August 10, 2007 at 3:46 PM

    Does this affect themes from wp.com? I’m glad my current (Unsleepable) is not on this list.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">