URGENT – Vulnerability in Xstore – Is it solved??

This topic has 29 replies, 7 voices, and was last updated 2 weeks, 4 days ago ago by Rose Tyler

  • Avatar: MatV
    MatV
    Participant
    May 2, 2024 at 16:41

    Hello,

    Patchstack and Wordfence published a serious vulnerability in Xstore – SQL Injection.

    https://patchstack.com/database/vulnerability/xstore/wordpress-xstore-theme-9-3-5-unauthenticated-sql-injection-vulnerability

    According to them its still UNPATCHED.

    28 Answers
    Avatar: MatV
    MatV
    Participant
    May 2, 2024 at 16:44

    Also another vulnerability for Authenticated (Subscriber+) Limited Arbitrary File Upload…

    Avatar: MatV
    MatV
    Participant
    May 2, 2024 at 16:46

    And also, 3 more vulnerabilities:

    Unauthenticated Local File Inclusion

    Unauthenticated PHP Object Injection

    Unauthenticated Privilege Escalation

    Have you adressed all these vulnerabilities??

    Avatar: GP
    GP
    Participant
    May 2, 2024 at 19:47

    Please respond as soon as you fix these issues, Devs.
    Thank you!

    Please contact administrator
    for this information.
    Avatar: Rose Tyler
    Rose Tyler
    Support staff
    May 3, 2024 at 12:19

    Hello,

    Thank you for providing the information. We have commenced our review and will notify you once the update is complete.

    Kind Regards,
    8theme team

    Avatar: MatV
    MatV
    Participant
    May 3, 2024 at 14:24

    Thank you, but I find it surprising that there are more than 7 severe vulnerabilities that were posted the 25th of April on Patchstack and Wordfence and you find out NOW the 3rd of May?? Because I decided to write this post??

    Didnt you know already? Didnt you get contacted by the person that found all the vulnerabilities in a disclosed way?

    I need to know if your latest update is safe or if we are still in danger, many of the vulnerabilities have a score of 10.0 in severity, this is no joke… It should be your priority!

    Avatar: Rose Tyler
    Rose Tyler
    Support staff
    May 3, 2024 at 14:46

    Hello,

    We sincerely apologize for only becoming aware of these issues recently. We assure you that we are now fully addressing this matter with the highest priority. Our team is actively working on analyzing and implementing the necessary fixes to ensure that any security vulnerabilities are promptly resolved.

    Please bear with us as we work through this process. We are committed to ensuring the safety and security of our products. We will keep you updated as soon as the fixes are released.

    Your patience and understanding during this time are greatly appreciated.

    Kind Regards,
    8theme team

    Avatar: MatV
    MatV
    Participant
    May 4, 2024 at 13:44

    Any update on this? Its been 24 hours. Do you have an ETA?

    Vulnerabilities have been public since the 25th of April, 9 days ago!!

    Avatar: Andrew Mitchell
    Andrew Mitchell
    Support staff
    May 4, 2024 at 14:18

    Dear MatV,

    Thank you for your patience and understanding.

    We are diligently working on addressing the issues you’ve raised. Today, we will be sending you an archive with 50% of the fixes completed. The remaining fixes will be updated as soon as they become available. Additionally, we are in communication with the Patchstack team to ensure that their solution is updated on other affected pages.

    We only became aware of these issues yesterday morning upon receiving your notification. Rest assured, our team is working swiftly to resolve them. We appreciate your cooperation and patience as we work to ensure the security and integrity of our products.

    Thank you for bringing this to our attention.

    Kind Regards,
    The 8Theme Team

    Avatar: Andrew Mitchell
    Andrew Mitchell
    Support staff
    May 4, 2024 at 18:09

    Dear MatV,

    We are pleased to inform you that we have successfully resolved all (100%) identified issues and have duly reported the same to the Patchstack team for review. We are currently awaiting their feedback.

    For your records, we have compiled all pertinent details into archives. Please find the links below for your reference:
    – XStore Theme and XStore Core Plugin = https://wetransfer.com/downloads/45ffdcb82b73dad3af9b849b1868a4ba20240505151401/7635d2040ae0dd920444eff4a1e3b20920240505151401/895218?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid

    Should you require any further information or assistance, please do not hesitate to contact us.

    Best Regards,
    The 8Theme Team

    Avatar: MatV
    MatV
    Participant
    May 4, 2024 at 18:28

    Thank you, I will update it.

    Although you should release the update publicly so everyone is protected, because the vulnerabilities were pretty serious.

    Just to make sure, I will send you a screenshot with all the vulnerabilities I was alerted of, did you manage to patch all of these?

    Thank you.

    Files is visible for topic creator and
    support staff only.
    Avatar: Andrew Mitchell
    Andrew Mitchell
    Support staff
    May 5, 2024 at 09:51

    Dear MatV,

    Thank you for your prompt response. Yes, all issues have been fixed. We are currently in discussions with the Patchstack team to ensure comprehensive coverage. Additionally, we are rigorously testing the archive of the XStore theme to ensure its stability and functionality. We will notify you as soon as the update is ready for public release.

    Please test new archives and feel free to send us the screenshot of the bugs you were alerted to. We will review it thoroughly to ensure that all concerns have been addressed.

    Thank you for your cooperation.

    Best Regards,
    The 8Theme Team

    Avatar: MatV
    MatV
    Participant
    May 6, 2024 at 12:48

    Hello, any news on this?

    I havent found any bugs on the update, but Patchstack is still informing me that I have vulnerabilities on my site.

    Did you manage to get in contact with them to make sure you could patch them all?

    Acording to Patchstack the vulnerabilities have started to get exploited… you should release a public update ASAP, before your clients get their webistes taken over.

    Avatar: Jack Richardson
    Jack Richardson
    Support staff
    May 6, 2024 at 13:05

    Hello @MatV,

    As previously mentioned, we have successfully established communication with the developers at Patchstack, and we are currently in the final stages of resolving all identified issues. The majority of the issues discovered have already been rectified from our end, and we have forwarded these fixes to the Patchstack service for verification. Once confirmed, these vulnerabilities will be marked as fixed on their website.

    All fixes will be integrated into our upcoming release, XStore theme version 9.3.9, and XStore Core plugin version 5.3.9. These updates will be bundled together and released simultaneously. We intend to deploy this update once Patchstack has confirmed the successful resolution of all reported issues from our end.

    As previously expressed, we sincerely appreciate your diligence in bringing these matters to our attention. Rest assured, we will promptly notify you upon receiving confirmation from Patchstack, allowing us to proceed with the submission of the theme update.

    Thank you for your patience and cooperation in this matter.

    Best regards,
    Jack Richardson

    Avatar: MatV
    MatV
    Participant
    May 6, 2024 at 15:06

    I just saw that you updated to version 9.3.9 on the changelog.

    Did you get the confirmed verification from Patchstack on all fixes?

    Can you update it on the downloadable files page so we can download this new version?

    Avatar: MatV
    MatV
    Participant
    May 6, 2024 at 15:18

    According to Patchstack they are still waiting for all patches and a final version to be released:

    “We will confirm patches when we will get the final version for validation, and the vendor will confirm it is released, right now we just seen patches for almost all vulnerabilities except one, but still no final version with a complete set of patches and no information/confirmation about release and release version number.”

    Avatar: Andrew Mitchell
    Andrew Mitchell
    Support staff
    May 6, 2024 at 16:16

    Dear, MatV,

    We hope this message finds you well.

    We are pleased to provide you with the latest archive containing updated fixes. You can access it via the following link: https://we.tl/t-KxjM8CM2d1

    We would like to reiterate that our team has been diligently working on testing and implementing necessary corrections. We have also been in constant communication with Patchstack team to ensure all issues are addressed promptly.

    As of now, we have completed all scheduled tasks on our end, including comprehensive testing, and are currently awaiting feedback from the Patchstack team. Should you have any direct contacts at Patchstack, we kindly ask you to encourage them to expedite their review process.

    Thank you for your attention and cooperation.

    Best Regards,
    The 8Theme Team

    Avatar: MatV
    MatV
    Participant
    May 6, 2024 at 16:31

    Alright, but why is the update not available to download for everyone?

    You published it on the changelog, so why is it not available as an automatic update or on the downloadable files page?

    So everyone can download 9.3.9 already.

    Avatar: Andrew Mitchell
    Andrew Mitchell
    Support staff
    May 6, 2024 at 16:41

    Dear, MatV,

    As previously discussed, we are currently awaiting a response from Patchstack to address all identified issues. It is our standard practice to conduct thorough testing before updating our themes to prevent any disruptions for our customers and to minimize frequent updates, which could potentially cause dissatisfaction.

    To ensure that all updates are both tested and reliable, we have attached relevant files to this correspondence for your review and action.

    Could you please confirm whether you have reached out to the Patchstack team to expedite this process? We are waiting almost 1 hour for their response.

    Thank you for your attention to this matter.

    Best Regards,
    The 8Theme Team

    Avatar: MatV
    MatV
    Participant
    May 7, 2024 at 14:39

    Hello, I see Patchstack updated their database and is marked as fixed in version 9.3.9 now.

    Thank you.

    What I did see is that according to them you havent claimed ownership for the plugin and theme. It would be a good idea if you did, so next time if theres a vulnerability you are the first ones to find out in a private manner, and you can fix it before it goes public.

    This time the time since the vulnerability was discovered until it was patched was just not acceptable. Especially for a product so widely used as Xstore.

    Acording to Patchstack the vulnerabilities were found the 8th of March (2 months ago!) and were made public the 25th of April (12 days ago!), not even mentioning that you only found out because I decided to write a post about it.

    I expect you do better next time.

    Files is visible for topic creator and
    support staff only.
    Avatar: Andrew Mitchell
    Andrew Mitchell
    Support staff
    May 7, 2024 at 16:01

    Dear, MatV,

    Thank you for sharing this information with us. As you’ve observed, we are committed to providing fast and flexible solutions to address any issues that arise with our products. We have already submitted a claim to Patchstack on Saturday and are awaiting their response. Rest assured, we are taking proactive steps to address the situation effectively.

    Once again, thank you for bringing this matter to our attention, and we apologize for any inconvenience caused. Your feedback is invaluable to us as we work towards providing the best possible experience for our customers.

    Warm Regards,
    The 8Theme Team

    Avatar: MatV
    MatV
    Participant
    May 8, 2024 at 00:06

    I got a notification saying that Andrew Mitchell wrote a new reply, but I dont see any reply after my comment.

    Files is visible for topic creator and
    support staff only.
    Avatar: Jack Richardson
    Jack Richardson
    Support staff
    May 8, 2024 at 07:53

    Dear @MatV,

    We hope this message finds you well. We would like to inform you that despite the unusual occurrence where the response from Andrew Mitchell is visible even in an incognito window, which can be viewed here: https://prnt.sc/gb0ZnxnnQ6t1, we have successfully addressed all issues identified by Patchstack and Wordfence.

    We are pleased to announce that these fixes have been incorporated into our latest update, version 9.3.9. You can review the update history and details at the following link: https://xstore.8theme.com/update-history/.

    Thank you for your cooperation.

    Best regards,
    The 8Theme Team

    Avatar: Daniel
    Daniel
    Participant
    May 9, 2024 at 12:33

    Hy all, i’m a new user of XStore and i was looking for info on this subject. I’ve checked my instalation and it has the latest update with the security patches. My question is: WP Toolkit on my cPanel is still notifying me about the security issues on the instalation with XStore. Could this be just an issue with WP Toolkit verification?
    – Checked for cache and other configurations that might be blocking the diagnostic update but din’t find anything.
    Thanks in advanced.

    Daniel

    Avatar: Jack Richardson
    Jack Richardson
    Support staff
    May 9, 2024 at 14:22

    Dear @Daniel,

    I hope this message finds you well. We are reaching out to request your assistance with a matter concerning the WP Toolkit security issues you encountered.

    Could you kindly provide screenshots of the security issues reported by WP Toolkit? Our analysis indicates that the WP Toolkit validator relies on data from https://patchstack.com/. It is possible that WP Toolkit may require a few days to refresh its information database, as we have already submitted an archive containing all necessary fixes to Patchstack, which they have approved. Each issue previously identified by Patchstack now displays a success mark, as shown here: https://prnt.sc/vPO8KE6pYZAO.

    If it is convenient for you, we would greatly appreciate it if you could contact WP Toolkit support through your server and request them to re-evaluate the security of our XStore theme.

    Thank you for your attention to this matter and for your cooperation. We look forward to your prompt response.

    Best regards,

    Jack Richardson
    8Theme’s Team

    Avatar: delovionline
    delovionline
    Participant
    May 25, 2024 at 13:55

    Hello,

    I have a big problem with the Theme and Core plugin:

    I have updated the theme and core plugin to latest version (9.3.10 and 5.3.10), but in my C-panel it still gives me Vulnerabilities for versions 9.3.8 and 5.3.8.

    Also i have too many “Deprecated: Creation of dynamic property” and “Warning: Cannot modify header information – headers already sent by” errors when Core plugin is activated.

    How to reslove Vulnerabilities and errors?

    List of vulnerabilities:

    9.3
    WordPress XStore theme <= 9.3.8 - Unauthenticated SQL Injection vulnerability Unauthenticated SQL Injection vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress T... Show more Date: 25.04.2024 | Source: PatchstackWordfence Theme No updates available 9 WordPress XStore theme <= 9.3.8 - Unauthenticated Local File Inclusion vulnerability Unauthenticated Local File Inclusion vulnerability discovered by Rafie Muhammad (Patchstack) in Word... Show more Date: 25.04.2024 | Source: PatchstackWordfence Theme No updates available 8.8 WordPress XStore theme <= 9.3.8 - Arbitrary Option Update vulnerability Arbitrary Option Update vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme X... Show more Date: 25.04.2024 | Source: PatchstackWordfence Theme No updates available 7.6 WordPress XStore theme <= 9.3.8 - Broken Access Control vulnerability Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme XSt... Show more Date: 25.04.2024 | Source: PatchstackWordfence Theme No updates available 7.5 WordPress XStore theme <= 9.3.8 - Unauthenticated Broken Access Control vulnerability Unauthenticated Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack) in Wor... Show more Date: 25.04.2024 | Source: PatchstackWordfence Theme No updates available 7.1 WordPress XStore theme <= 9.3.8 - Reflected Cross Site Scripting (XSS) vulnerability Reflected Cross Site Scripting (XSS) vulnerability discovered by Rafie Muhammad (Patchstack) in Word... Show more Date: 25.04.2024 | Source: PatchstackWordfence Theme No updates available 5.9 WordPress Core - Informational - All known Versions - Weak Hashing Algorithm All known versions of WordPress core use a weak MD5-based password hashing algorithm, which makes it... Show more This record contains material that is subject to copyright. Date: 20.06.2012 | Source: Wordfence Core No updates available 5.3 WordPress Core - All Known Versions - Cleartext Storage of wp_signups.activation_key All known versions of WordPress Core store cleartext wp_signups.activation_key values (but stores th... Show more This record contains material that is subject to copyright. Date: 10.10.2017 | Source: Wordfence Core No updates available 9.8 WordPress XStore Core plugin <= 5.3.8 - Unauthenticated Account Takeover vulnerability Unauthenticated Account Takeover vulnerability discovered by Rafie Muhammad (Patchstack) in WordPres... Show more Date: 25.04.2024 | Source: PatchstackWordfence Mitigated by deactivation Plugin Deactivated 9.3 WordPress XStore Core plugin <= 5.3.8 - Unauthenticated SQL Injection vulnerability Unauthenticated SQL Injection vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress P... Show more Date: 25.04.2024 | Source: PatchstackWordfence Mitigated by deactivation Plugin Deactivated 9 WordPress XStore Core plugin <= 5.3.8 - Unauthenticated PHP Object Injection vulnerability Unauthenticated PHP Object Injection vulnerability discovered by Rafie Muhammad (Patchstack) in Word... Show more Date: 25.04.2024 | Source: PatchstackWordfence Mitigated by deactivation Plugin Deactivated 8.5 WordPress XStore Core plugin <= 5.3.8 - Local File Inclusion vulnerability Local File Inclusion vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XSt... Show more Date: 25.04.2024 | Source: PatchstackWordfence Mitigated by deactivation Plugin Deactivated 8.2 WordPress XStore Core plugin <= 5.3.8 - Limited Arbitrary File Upload vulnerability Limited Arbitrary File Upload vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress P... Show more Date: 25.04.2024 | Source: PatchstackWordfence Mitigated by deactivation Plugin Deactivated 8.1 WordPress XStore Core plugin <= 5.3.8 - Multiple Authenticated Broken Access Control vulnerability Multiple Authenticated Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack)... Show more Date: 25.04.2024 | Source: PatchstackWordfence Mitigated by deactivation Plugin Deactivated 7.1 WordPress XStore Core plugin <= 5.3.8 - Reflected Cross Site Scripting (XSS) vulnerability Reflected Cross Site Scripting (XSS) vulnerability discovered by Rafie Muhammad (Patchstack) in Word... Show more Date: 25.04.2024 | Source: PatchstackWordfence Mitigated by deactivation Plugin Deactivated 6.5 WordPress XStore Core plugin <= 5.3.8 - Limited Arbitrary File Download vulnerability Limited Arbitrary File Download vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress... Show more Date: 25.04.2024 | Source: PatchstackWordfence Mitigated by deactivation Plugin Deactivated 4 WordPress Core All Versions - Unauthenticated Blind Server-Side Request Forgery vulnerability Unauthenticated Blind Server-Side Request Forgery vulnerability discovered by Simon Scannell & Thoma... Show more Date: 13.12.2022 | Source: PatchstackWordfence Mitigated by security measure Core Security measure applied

    Please contact administrator
    for this information.
    Avatar: Jack Richardson
    Jack Richardson
    Support staff
    May 25, 2024 at 14:49

    Dear @delovionline,

    We are pleased to inform you that all the errors previously displayed in your CPanel have been successfully resolved. The latest updates have been applied and verified on the Patchstack server, where all fixes received a success mark. You can view the confirmation at the following link: https://prnt.sc/tKupXH_W5cjT.

    Should you have recently updated your theme and core plugin, please allow some time for your CPanel to clear the cache of the vulnerability results. Alternatively, you may contact their support team to expedite the vulnerability check for your website’s theme/core.

    Regarding your inquiries about deprecations, they are primarily due to the use of a higher PHP version that is not yet supported. We recommend downgrading to PHP version 8.0 and verifying if the issue persists.

    For future correspondence, we kindly ask that you submit separate queries for different topics to enhance the efficiency of our support.

    Best Regards,
    Jack Richardson
    The 8Theme Team

    Avatar: delovionline
    delovionline
    Participant
    May 25, 2024 at 17:48

    Ok, downgrade to 8.1.2 helped me with the errors. Thank you.

    Avatar: Rose Tyler
    Rose Tyler
    Support staff
    May 27, 2024 at 07:39

    Dear @delovionline,

    You’re welcome!

    Kind Regards,
    8theme team

  • Viewing 29 results - 1 through 29 (of 29 total)

You must be logged in to reply to this topic.Log in/Sign up

We're using our own and third-party cookies to improve your experience and our website. Keep on browsing to accept our cookie policy.