Vulnerability in the WordPress King Size theme
This is the vulnerability: http://catchinternet.com/blog/timthumb-vulnerability-wordpress-security-patch/
Below is a discussion that I have been having with the creators of King Size. I personally find their response unacceptable, but I agree that themeforest is also to blame. I also do not understand why they didn't have an "update notifier" until recently. I also contacted themeforest and waiting for a reply.
-----
Hello King Size Theme team,
My server was cracked using a vulnerability found in timthumb.php, which ships with the King Size Theme.
I checked the theme page on themeforest.net and under version 3.1 it says: "Updated Timthumb (timthumb.php) for security concerns"
Did you send out e-mails to all your customers using King Size < 3.1 about this problem? If not, why not?
Thanks,
Ovi
-----
Ovidiu Dan (Ovi),
A customer support staff member has replied to your support request, #455636 with the following response:
Hello,
I am sorry to hear about your troubles but its not our responsibility to keep you informed of updates. Its yours as a buyers responsibility to occasionally check in and see if updates are available. As of v3.3 we released an "update notifier" which informs buyers when updates are available via their Dashboards.
Kind regards,
Bryce Wisekal
-----
Hello again,
I am sorry but it IS definitely your responsibility, especially when it comes to critical security vulnerabilities.
Please do the right thing and inform your customers or I will do it for you.
Ovi
-----
Ovidiu Dan (Ovi),
A customer support staff member has replied to your support request, #455636 with the following response:
Hello Ovi,
And how do you propose we do that when we do not have CONTACT to our buyers? Come on now, be sensible. When you buy a template from theme forest it IS YOUR responsibility. If you cannot deal with that I am sorry, its not our fault though. We announced this information within our comments, as well released an update. We do not have access to contact buyers due to Theme Forest controlling those rights.
As I had mentioned, I am sorry to hear about your troubles but if you came by Theme Forest from time to time and checked on the template you would have clearly known about the issues. We did our part by addressing the issue, its not your responsibility to update your template - not ours.
So please, do the right thing and accept your responsibility, because its not ours. If you disagree with this, you're more than welcome to take it up with Theme Forest and suggest to them that sellers need the ability to contact their buyers but its not going to happen. It's something authors have been asking Theme Forest for some time now. I'm sorry, but we're only able to do what we can, the rest is up to you as a buyer.
Kind regards,
Bryce Wisekal
-----
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment