Return to previous page

URGENT – Vulnerability in Xstore – Is it solved??

This topic has 25 replies, 6 voices, and was last updated 1 weeks ago ago by Jack Richardson

MatV

Participant

May 2, 2024 at 16:41

Hello,

Patchstack and Wordfence published a serious vulnerability in Xstore – SQL Injection.

https://patchstack.com/database/vulnerability/xstore/wordpress-xstore-theme-9-3-5-unauthenticated-sql-injection-vulnerability

According to them its still UNPATCHED.

#393769 Copied Theme version: 9.3.7

24 Answers

MatV

Participant

May 2, 2024 at 16:44

Also another vulnerability for Authenticated (Subscriber+) Limited Arbitrary File Upload…

#393770 Copied

MatV

Participant

May 2, 2024 at 16:46

And also, 3 more vulnerabilities:

Unauthenticated Local File Inclusion

Unauthenticated PHP Object Injection

Unauthenticated Privilege Escalation

Have you adressed all these vulnerabilities??

#393771 Copied

GP

Participant

May 2, 2024 at 19:47

Please respond as soon as you fix these issues, Devs.
Thank you!

Please contact administrator
for this information.

#393781 Copied

Rose Tyler

Support staff

May 3, 2024 at 12:19

Hello,

Thank you for providing the information. We have commenced our review and will notify you once the update is complete.

Kind Regards,
8theme team

#393863 Copied

MatV

Participant

May 3, 2024 at 14:24

Thank you, but I find it surprising that there are more than 7 severe vulnerabilities that were posted the 25th of April on Patchstack and Wordfence and you find out NOW the 3rd of May?? Because I decided to write this post??

Didnt you know already? Didnt you get contacted by the person that found all the vulnerabilities in a disclosed way?

I need to know if your latest update is safe or if we are still in danger, many of the vulnerabilities have a score of 10.0 in severity, this is no joke… It should be your priority!

#393881 Copied

Rose Tyler

Support staff

May 3, 2024 at 14:46

Hello,

We sincerely apologize for only becoming aware of these issues recently. We assure you that we are now fully addressing this matter with the highest priority. Our team is actively working on analyzing and implementing the necessary fixes to ensure that any security vulnerabilities are promptly resolved.

Please bear with us as we work through this process. We are committed to ensuring the safety and security of our products. We will keep you updated as soon as the fixes are released.

Your patience and understanding during this time are greatly appreciated.

Kind Regards,
8theme team

#393885 Copied

MatV

Participant

May 4, 2024 at 13:44

Any update on this? Its been 24 hours. Do you have an ETA?

Vulnerabilities have been public since the 25th of April, 9 days ago!!

#393992 Copied

Andrew Mitchell

Support staff

May 4, 2024 at 14:18

Dear MatV,

Thank you for your patience and understanding.

We are diligently working on addressing the issues you’ve raised. Today, we will be sending you an archive with 50% of the fixes completed. The remaining fixes will be updated as soon as they become available. Additionally, we are in communication with the Patchstack team to ensure that their solution is updated on other affected pages.

We only became aware of these issues yesterday morning upon receiving your notification. Rest assured, our team is working swiftly to resolve them. We appreciate your cooperation and patience as we work to ensure the security and integrity of our products.

Thank you for bringing this to our attention.

Kind Regards,
The 8Theme Team

#393994 Copied

Andrew Mitchell

Support staff

May 4, 2024 at 18:09

Dear MatV,

We are pleased to inform you that we have successfully resolved all (100%) identified issues and have duly reported the same to the Patchstack team for review. We are currently awaiting their feedback.

For your records, we have compiled all pertinent details into archives. Please find the links below for your reference:
– XStore Theme and XStore Core Plugin = https://wetransfer.com/downloads/45ffdcb82b73dad3af9b849b1868a4ba20240505151401/7635d2040ae0dd920444eff4a1e3b20920240505151401/895218?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid

Should you require any further information or assistance, please do not hesitate to contact us.

Best Regards,
The 8Theme Team

#394004 Copied

MatV

Participant

May 4, 2024 at 18:28

Thank you, I will update it.

Although you should release the update publicly so everyone is protected, because the vulnerabilities were pretty serious.

Just to make sure, I will send you a screenshot with all the vulnerabilities I was alerted of, did you manage to patch all of these?

Thank you.

Files is visible for topic creator and
support staff only.

#394007 Copied

Andrew Mitchell

Support staff

May 5, 2024 at 09:51

Dear MatV,

Thank you for your prompt response. Yes, all issues have been fixed. We are currently in discussions with the Patchstack team to ensure comprehensive coverage. Additionally, we are rigorously testing the archive of the XStore theme to ensure its stability and functionality. We will notify you as soon as the update is ready for public release.

Please test new archives and feel free to send us the screenshot of the bugs you were alerted to. We will review it thoroughly to ensure that all concerns have been addressed.

Thank you for your cooperation.

Best Regards,
The 8Theme Team

#394027 Copied

MatV

Participant

May 6, 2024 at 12:48

Hello, any news on this?

I havent found any bugs on the update, but Patchstack is still informing me that I have vulnerabilities on my site.

Did you manage to get in contact with them to make sure you could patch them all?

Acording to Patchstack the vulnerabilities have started to get exploited… you should release a public update ASAP, before your clients get their webistes taken over.

#394128 Copied

Jack Richardson

Support staff

May 6, 2024 at 13:05

Hello @MatV,

As previously mentioned, we have successfully established communication with the developers at Patchstack, and we are currently in the final stages of resolving all identified issues. The majority of the issues discovered have already been rectified from our end, and we have forwarded these fixes to the Patchstack service for verification. Once confirmed, these vulnerabilities will be marked as fixed on their website.

All fixes will be integrated into our upcoming release, XStore theme version 9.3.9, and XStore Core plugin version 5.3.9. These updates will be bundled together and released simultaneously. We intend to deploy this update once Patchstack has confirmed the successful resolution of all reported issues from our end.

As previously expressed, we sincerely appreciate your diligence in bringing these matters to our attention. Rest assured, we will promptly notify you upon receiving confirmation from Patchstack, allowing us to proceed with the submission of the theme update.

Thank you for your patience and cooperation in this matter.

Best regards,
Jack Richardson

#394132 Copied

MatV

Participant

May 6, 2024 at 15:06

I just saw that you updated to version 9.3.9 on the changelog.

Did you get the confirmed verification from Patchstack on all fixes?

Can you update it on the downloadable files page so we can download this new version?

#394154 Copied

MatV

Participant

May 6, 2024 at 15:18

According to Patchstack they are still waiting for all patches and a final version to be released:

“We will confirm patches when we will get the final version for validation, and the vendor will confirm it is released, right now we just seen patches for almost all vulnerabilities except one, but still no final version with a complete set of patches and no information/confirmation about release and release version number.”

#394155 Copied

Andrew Mitchell

Support staff

May 6, 2024 at 16:16

Dear, MatV,

We hope this message finds you well.

We are pleased to provide you with the latest archive containing updated fixes. You can access it via the following link: https://we.tl/t-KxjM8CM2d1

We would like to reiterate that our team has been diligently working on testing and implementing necessary corrections. We have also been in constant communication with Patchstack team to ensure all issues are addressed promptly.

As of now, we have completed all scheduled tasks on our end, including comprehensive testing, and are currently awaiting feedback from the Patchstack team. Should you have any direct contacts at Patchstack, we kindly ask you to encourage them to expedite their review process.

Thank you for your attention and cooperation.

Best Regards,
The 8Theme Team

#394163 Copied

MatV

Participant

May 6, 2024 at 16:31

Alright, but why is the update not available to download for everyone?

You published it on the changelog, so why is it not available as an automatic update or on the downloadable files page?

So everyone can download 9.3.9 already.

#394164 Copied

Andrew Mitchell

Support staff

May 6, 2024 at 16:41

Dear, MatV,

As previously discussed, we are currently awaiting a response from Patchstack to address all identified issues. It is our standard practice to conduct thorough testing before updating our themes to prevent any disruptions for our customers and to minimize frequent updates, which could potentially cause dissatisfaction.

To ensure that all updates are both tested and reliable, we have attached relevant files to this correspondence for your review and action.

Could you please confirm whether you have reached out to the Patchstack team to expedite this process? We are waiting almost 1 hour for their response.

Thank you for your attention to this matter.

Best Regards,
The 8Theme Team

#394165 Copied

MatV

Participant

May 7, 2024 at 14:39

Hello, I see Patchstack updated their database and is marked as fixed in version 9.3.9 now.

Thank you.

What I did see is that according to them you havent claimed ownership for the plugin and theme. It would be a good idea if you did, so next time if theres a vulnerability you are the first ones to find out in a private manner, and you can fix it before it goes public.

This time the time since the vulnerability was discovered until it was patched was just not acceptable. Especially for a product so widely used as Xstore.

Acording to Patchstack the vulnerabilities were found the 8th of March (2 months ago!) and were made public the 25th of April (12 days ago!), not even mentioning that you only found out because I decided to write a post about it.

I expect you do better next time.

Files is visible for topic creator and
support staff only.

#394299 Copied

Andrew Mitchell

Support staff

May 7, 2024 at 16:01

Dear, MatV,

Thank you for sharing this information with us. As you’ve observed, we are committed to providing fast and flexible solutions to address any issues that arise with our products. We have already submitted a claim to Patchstack on Saturday and are awaiting their response. Rest assured, we are taking proactive steps to address the situation effectively.

Once again, thank you for bringing this matter to our attention, and we apologize for any inconvenience caused. Your feedback is invaluable to us as we work towards providing the best possible experience for our customers.

Warm Regards,
The 8Theme Team

#394313 Copied

MatV

Participant

May 8, 2024 at 00:06

I got a notification saying that Andrew Mitchell wrote a new reply, but I dont see any reply after my comment.

Files is visible for topic creator and
support staff only.

#394342 Copied

Jack Richardson

Support staff

May 8, 2024 at 07:53

Dear @MatV,

We hope this message finds you well. We would like to inform you that despite the unusual occurrence where the response from Andrew Mitchell is visible even in an incognito window, which can be viewed here: https://prnt.sc/gb0ZnxnnQ6t1, we have successfully addressed all issues identified by Patchstack and Wordfence.

We are pleased to announce that these fixes have been incorporated into our latest update, version 9.3.9. You can review the update history and details at the following link: https://xstore.8theme.com/update-history/.

Thank you for your cooperation.

Best regards,
The 8Theme Team

#394370 Copied

Daniel

Participant

May 9, 2024 at 12:33

Hy all, i’m a new user of XStore and i was looking for info on this subject. I’ve checked my instalation and it has the latest update with the security patches. My question is: WP Toolkit on my cPanel is still notifying me about the security issues on the instalation with XStore. Could this be just an issue with WP Toolkit verification?
– Checked for cache and other configurations that might be blocking the diagnostic update but din’t find anything.
Thanks in advanced.

Daniel

#394540 Copied

Jack Richardson

Support staff

May 9, 2024 at 14:22

Dear @Daniel,

I hope this message finds you well. We are reaching out to request your assistance with a matter concerning the WP Toolkit security issues you encountered.

Could you kindly provide screenshots of the security issues reported by WP Toolkit? Our analysis indicates that the WP Toolkit validator relies on data from https://patchstack.com/. It is possible that WP Toolkit may require a few days to refresh its information database, as we have already submitted an archive containing all necessary fixes to Patchstack, which they have approved. Each issue previously identified by Patchstack now displays a success mark, as shown here: https://prnt.sc/vPO8KE6pYZAO.

If it is convenient for you, we would greatly appreciate it if you could contact WP Toolkit support through your server and request them to re-evaluate the security of our XStore theme.

Thank you for your attention to this matter and for your cooperation. We look forward to your prompt response.

Best regards,

Jack Richardson
8Theme’s Team

#394551 Copied
Tagged: secure xstore woocommerce theme, urgent xstore security, woocommerce xstore solution, wordpress xstore patch, xstore vulnerability fix, xstore vulnerability woocommerce update
Viewing 25 results - 1 through 25 (of 25 total)