XSS attacks question re recent update (TGM Class)

[anton123]

Hi There, re the recent update

How serious is this bug? Here is the Enfold theme’s reply on the issue:

“This is not really a problem for our themes. We only ship the TGM Plugin activation class with our framework which has been identified as not 100% secure and that will update the framework for all themes with the new class asap. To exploit the class you would need admin access anyways so the chance that something bad happens is really slim”

So it doesn’t sound that serious and chances are slim of something happening?

If I can not update now it will be better since there are many customisations (and lots of work to do….)

Please advise, thanks

[Mohammad – SUPPORT]

Hi,
Thanks for this information. I will inform to developer about it.
Thanks
Mohammad

[Swift Ideas – Ed]

Hi anton123,

We take security seriously here, which was why we shipped out updates last week as soon as we were informed about this.

The update for Dante that was made available last week included these security fixes.

– Ed

[anton123]

Thanks Ed, that’s great

My Q is whether this is really so serious?

Enfold: “To exploit the class you would need admin access anyways so the chance that something bad happens is really slim”

Can I get away with not updating now? ( since there are many customisations (and lots of work to do….))

Thanks

[Swift Ideas – Ed]

I’d say you should take any security issue seriously – no matter how likely it is to affect you, better to be safe than sorry!

You can download he latest version, then just replace the class-tgm file in /includes, if you want to wait to update fully.

– Ed

[anton123]

Great thanks – will that be the same for most other themes as well?

If I can just replace one file rather than spending hours redo-ing customizations that’s a bonus!

[Swift Ideas – Ed]

I can’t say for other themes, but that is all that’s needed in Dante.

– Ed