Unyson
Unyson copied to clipboard
ThemeFuse
Patch for v2.7.28 to fix missing capability checks
I'm getting alerts that the Unyson plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on several functions in versions up to, and including, 2.7.28. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions such as dismissing notices.
Is there a Patch in the works?
Ditto. Details: https://patchstack.com/database/vulnerability/unyson/wordpress-unyson-plugin-2-7-28-broken-access-control-vulnerability
Here's hoping there is still a development team associated with this product.
Ditto, also from iThemes Vulnerability Report, https://ithemes.com/blog/wordpress-vulnerability-report-october-4-2023
200k+ installs and nobody cares? Looks like http://themefuse.com/ is out of business.
Looks like http://themefuse.com/ is out of business.
i think it's more that they've abandoned all of their other projects to focus on brizy. which to me isn't really a good look for brizy.
Just sent an email to [email protected] asking them to check out the Unyson Github Issues area along with the two links listed here offering details on the vulnerability. No idea if they will respond, so far just an automated reply with the usual we will respond soon.
Received this reply a couple of hours ago:
Denis here from Brizy Support department. Thank you for contacting us. Thank you for your reporting this. I've reported this to the team, they will check this ASAP.
Hello Everyone. I hope all is well.
I am also facing a similar issue. The company was formed in 2009 by Sergiu Bagrin, Dimi Baitanciuc, Bogdan Condurache, and Alex Luncasu. I have checked on LinkedIn and found Dimi Baitanciuc, Co-Founder at ThemeFuse/Unyson Framework. (https://www.crunchbase.com/person/dimi-baitanciuc) I sent him a message. If you want, you guys can reach him too if there is a delay and nobody works on this issue.
LinkedIn ID: https://ro.linkedin.com/in/dimi-baitanciuc-28b8a0122
I am too bought a theme few years ago and now also notified about the security risk. It is really bad
So, my questions, should a/the dev actually decide to address our group are as follows:
- what are the actual real-world risks associated with the identified vulnerability?
- will there be an effort to address the vulnerability with an update and if so, how long is that expected to take?
While it is good to know we aren't all alone with the concern as users, it would be somewhat comforting to hear from the developers that there is a plan to resolve the matter.
- what are the actual real-world risks associated with the identified vulnerability?
See description here at the Wordfence vulnerability report
Received this reply a couple of hours ago:
Denis here from Brizy Support department. Thank you for contacting us. Thank you for your reporting this. I've reported this to the team, they will check this ASAP.
Hello @twright6 Did you receive any further replies from Brizy Support? I think nobody is working on it.
I've heard nothing further. That is exactly the samemessage I got to my initial email to them. Suspect we are on our own folks.
I've heard nothing further. That is exactly the same message I got to my initial email to them. Suspect we are on our own folks.
Have you tried replying to their reply to inquire about progress? Security issues are security issues and need dealing with quickly. Especially since it's reached the public reporting stage!
I have personal site that not important at all but still get many attacks daily !!
Just today this came in a notice from a Wordfence Alert: * The Plugin "Unyson" has been removed from wordpress.org but is still installed on your site. Plugin contains an unpatched security vulnerability.
Does this mean rather than working on a patch, they are abandoning the plugin?
Just today this came in a notice from a Wordfence Alert: * The Plugin "Unyson" has been removed from wordpress.org but is still installed on your site. Plugin contains an unpatched security vulnerability.
Does this mean rather than working on a patch, they are abandoning the plugin?
That typically happens when there is an unpatched vuln, to prevent people downloading it fresh until the issue is resolved. Hopefully devs are actively working on it
Also new wordpress upgrades may cause the site to break. I wish my theme was not depend on it
I tried now to disable the Unyson plugin and the site seems not affected. I will enable it only when I add or modify pages.
unfortunately I am unable to disable it on my client's site - stuff breaks all over the place
Disabling Unyson totally ruins the look of my pages. I believe i would have to completely rebuild my site. I suppose that I should learn not to build pages using a plugin, because any one of them could pull the plug on their support, and I'd end up right back here once more.
I was viewing a cashed version , me too if I disabled this plugin the site break;
This is really annoying, first they let million of people use there product and then disappear, can anyone can patch the files? Can we bring someone else from outside and take his help? If anyone knows an expert who can help?
My website is useless without this framework
I've heard nothing further. That is exactly the same message I got to my initial email to them. Suspect we are on our own folks.
Have you tried replying to their reply to inquire about progress? Security issues are security issues and need dealing with quickly. Especially since it's reached the public reporting stage!
@WebDragon It would be better if we all sent message to there support email. At least they will see many request coming in.
I think we all should email them,
I warned the developer of my theme that he considers Unyson a necessary plugin. Unfortunately, my site was hacked yesterday and I believe they most likely entered through the Unyson plugin. Fortunately, I built my template with Visual Composer and i've disabled the plugin now.
I warned the developer of my theme that he considers Unyson a necessary plugin. Unfortunately, my site was hacked yesterday and I believe they most likely entered through the Unyson plugin. Fortunately, I built my template with Visual Composer and i've disabled the plugin now.
@Toscky It's really bad to hear this. Which alternate framework did you use to build the template with Visual Composer?
Please help us too; how can we replace Unyson ourselves?
Maybe also disable access from visitors that use vpn because all hackers uses vpn or tor https://www.youtube.com/watch?v=5UdIn1_FoaM
It's really bad to hear this. Which alternate framework did you use to build the template with Visual Composer?
Please help us too; how can we replace Unyson ourselves?
I warned the developer of my theme that he considers Unyson a necessary plugin. Unfortunately, my site was hacked yesterday and I believe they most likely entered through the Unyson plugin. Fortunately, I built my template with Visual Composer and i've disabled the plugin now.
@Toscky It's really bad to hear this. Which alternate framework did you use to build the template with Visual Composer?
Please help us too; how can we replace Unyson ourselves?
My theme was also compatible with Visual Composer, and fortunately the theme pages were built with Visual Composer, so I was able to disable the Unyson plugin. If you used Unyson as the main builder, you will inevitably have to rebuild the pages.
Reply to a second email received moments ago:
Your report is very important. Internal issue was created for the team last week. Issue is still in progress. Today I received reply from the team that developers plan to work on this issue this week. Once this will be fixed, I will let you know.
Reply to a second email received moments ago:
Your report is very important. Internal issue was created for the team last week. Issue is still in progress. Today I received reply from the team that developers plan to work on this issue this week. Once this will be fixed, I will let you know.
I'm curious ... Thanks for the info twright6 ;)
