This weekend there was a post on the Full disclosure list about multiple vulnerabilities on some WordPress themes by WooThemes. This is what the message said:
Vulnerable are the next themes by WooThemes: Live Wire (all three themes from Live Wire series), Gotham News, Typebased, Blogtheme, VibrantCMS, Fresh News, The Gazette Edition, NewsPress, The Station, The Original Premium News, Flash News, Busy Bee, Geometric…
In different themes there is test.php – script with phpinfo() – which leads to Information Leakage (disclosure of FPD and other important information about the server) and XSS (in PHP < 4.4.1, 4.4.3-4.4.6).
So what exactly is going on? Basically, these themes include a “test.php” file that prints the output of phpinfo(), leaking some internal information about the server (internal path, modules, versions, etc). This information leakage by itself is not serious, but can be used by an attacker when trying to hack the site. The other issue (XSS – cross site scripting) is a bug on PHP4 itself and does not affect anyone using PHP5 (which I hope is everybody).
So, if you are using any of those themes, it is a good idea to remove this test.php file, since debugging code shouldn’t be on production sites. If you are running PHP4, you have bigger issues than this XSS/information leakage, we recommend getting your software up to date!
Running WordPress? Scan your site for free to see if it has any malware or security issues: http://sitecheck.sucuri.net