Warning: This theme is not secure!

Hi,

there is a know security issue with the Epsilon framework. This framework is part of the Sparkling theme. Attackers are actively using this to gain access to websites. Please fix this as soon as possible!

See this blogpost for more details:

Thanks @metasequ0ia for raising this.

It is very import that this is fixed ASAP.

But if it helps anyone, you can block specific URL strings in your htaccess file.
As an example - this is what I have added to (the very top of) htaccess to counteract this specific issue

RewriteEngine On
RewriteCond %{QUERY_STRING} action=register
RewriteRule (.*) / [R=302,L]

To explain, this will redirect any url with the register string, to the URL in line 3 (i.e. /).
You can replace that / with any URL.
e.g. I have a manually-written noaccess.html on my sites, hence my htaccess file reads as follows:

RewriteEngine On
RewriteCond %{QUERY_STRING} action=register
RewriteRule (.*) /noaccess.html [R=302,L]

This of course should only be used where you don’t want user registrations !!!

I hope this helps someone.

But we need the core vulnerability fixed, please, and ASAP.

Hey thre

So sorry about that, problem is already reported, we know about it and I hope it will be resolved as soon as possible

Regards

So, when is “as soon as possible”? In this case, every hour counts. We need an update! Bots are actively exploiting this vulnerability.

Is replacing the Epsilon framework in /wp-content/themes/sparkling/inc/libraries/epsilon-framework with a more recent version a solution to the vulnerability?

In the meantime, Sparkling has been added to the list of affected themes here. With the hint that you should uninstall it because there is no patch!

Hi

So sorry about that, I also reported this problem to the management team, unfortunately I cant say when exactly this will be handled but we spend great priority to deal with such problems

Thanks in advance

Hello,
nothing has happened here for over two weeks. It seems to me that safety issues are not taken seriously here. “Great priority” should look different!
No update, no advice to the users, no workaround… That’s sad.
I can’t recommend this theme and all other themes from Colorlib. On the contrary: I will actively use all the channels available to me to point out these problems. Security is the number one issue on the net! Here it is not taken seriously. Goodbye!

Hi @metasequ0ia

So sorry to hear this, I truly understand you, this problem really took a while, I will send a notification to appropriate team members

Regards

Is this still outstanding? I definitely don’t want to develop a site with a theme prone to being hacked.

Yes, unfortunately still no response from the developers. I do not understand this irresponsible behavior. It is necessary to avoid this theme. It is not safe. I have reported the theme to WordPress Themes Team and the people there are also in contact with the developers. However, it’s been over a week now and nothing seems to be happening. Sad…

Any recommendations for themes with a similar design that aren’t actively insecure? Whilst I have no immediate plans to use user accounts, I’d rather have the option to safely do so in the future.

heloo everyone please someone help me i just purased the thme and don’t know how to us it in wordpress.

Sparking is a free theme and I would advise against using it, as like discussed in the thread it’s very easy to hack.