[magnus]

Regarding this XSS vulnerability that has been a problem for a long time ….

I thought it might be better to change theme so I have searched and tested a lot of different themes. But I have not found any other theme that has a plugin that is as good as Serious Theme Settings, not even in the paid PRO versions. I have tried OceanWP Pro and Astra Pro, but they are not even close to what Serious Theme Settings can do.

All of us have probably been using Serious Theme Settings for so long that we do not appreciate what it can do and just take it for granted.

The Serious Theme Settings plugin is actually so good that it should not be free, but rather it should cost money.

So if the problem with fixing the XSS vulnerability is the economy, then I and probably many other users are willing to pay for the Serious Theme Settings plugin.

With that said, I wish everyone a happy new year.

• This topic was modified 1 year ago by magnus.

[stephsauteandsoak]

Hi, I am continuing to have this error pop up: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the bravada domain was triggered too early.

I have tried to email and to respond to other threads mentioning this. The error shows on the audience side so this really needs to be resolved ASAP, please. I do not want to have to rebuild my website away from anything Cryout is doing, but after two months of trying I am starting to think I will have to.

[bassicsax]

I am not sure what errors you folks are all getting. I use Cryout Creations in all the websites that I’ve created for clients, as well as myself. I use a variety of themes, some Plus, some Free, ranging from Bravada to Septera.

Although I too was getting error codes a few months ago, those long ago have vanished. I no longer get them in either Jetpack or Wordfence.

Just last week I updated everyone’s sites to the latest version of WP (6.2) and all their plugins. No error codes appear.

I would be lying if I didn’t acknowledge that I have been frustrated with the tech response in the past by CC. That said, in the end they have come through, and did reply and sent out the patches, or told me how to fix what needed to be fixed.

I appreciate the hard work the Zed and the team at CC have done on their themes and plugins. They are functional, and quite user friendly.

Website: bassic-sax.info/version5

• This reply was modified 1 year ago by bassicsax.

[scldad]

OK. Just found the earlier posts.
Nil desperandum.

[HUHU7777]

Hello, i have no menue in mobile device and view. tablet an desktop is ok. any idea

[andymantra]

Hi
recently have an issue with one site on my multisite which uses Mantra theme…
I can no longer login to I as super admin, so can’t modify anything.
There’s nothing in the logs so I tried setting up a new user from CLI and adding that user as admin to the site using:
wp user set-role <userno> administrator –url=<siteURL>
but get the error:
Fatal error: Uncaught TypeError: extract(): Argument #1 ($array) must be of type array, null given in /var/www/clients/client7/web7/web/wp-content/themes/mantra/includes/theme-setup.php:53
which is the call:
extract( $mantra_options );

I’ve had lots of similar issues upgrading PHP to 8.n as typing is more strict than it used to be and I don’t get away with what I used to, so guessing this may be the problem…
Any ideas?

[perthsim]

I use Tempera on a variety of websites, and in recent weeks I’ve noticed that bullet points have disappeared from unordered lists on all those sites – presumably with a recent theme update?

I have “Content List Bullets” set to “Show” – I have not changed this on any of the sites, but the bullet points are not showing.

[scldad]

If I login to WP and navigate to Appearance/Menus on my Android tablet, I can see all of my menu entries but if I click on any of the menu items, they do not open so I cannot edit/move/remove them as I can when using my laptop/desktop.

I have tried Chrome, Samsung and Firefox with the same result.
Is this a theme issue or general WP?

WP 6.6.2

[Kasey Giard]

Since I updated to WordPress 6.7, when I try open a post or page to edit them, the window shakes back and forth horizontally very quickly. I tried changing the theme to one of the WordPress Twenty-Twenty themes and the issue stopped. It returned when I activated Mantra as my theme. Is there a way to fix this?

[ga4arts]

I need insight into how to modify the Kahuna CSS to remove the built-in style where h1 and buttons, and probably more later when I get deeper into customizing. I’ve tried everything I know, but the theme is not responding. Thanks.

[itshorrortime]

Hi
For the zombie theme, if i upload a header image, it does not resize for tablet or phone, so cant see it all.

When i select to hide the site identity details, it is not there in the editor, but it is still there on the live site.

Please help!
Thanks
Tiffany

[paigenelson2715]

I am in a similar boat – I have submitted three tickets and no one has replied. This theme isn’t working in mobile, and is not updating properly anywhere.

[enonet]

Unfortunately, I experienced the same thing.

I opened a ticket on October 15th and then heard nothing. I wrote Zed again on October 23rd. To this day I have had no response! It’s a shame when paying members are treated like this.

[niczar]

Can’t update functions.php file in the child theme since last update.
Get an error
“something went wrong. Your change may not have been saved. Please try again. There is also a chance that you may need to manually fix and upload the file over http://FTP.&#8221;

Tried deactivating ALL the plugins, so obviously this error not coming from any installed plugin.

Some problem with parent or child theme file.

Thanks

[cwhiteho]

Apologies – problem solved. Additional CSS had been added in wrong place.

[niczar]

I am using Bravada Plus theme.

How can I add a Sort menu to pages (to sort the products by prices High-Low, Low-High, Sort Alphabetically A-Z or Z-A etc)?

Thanks

[Marcia]

Tengo el tema PARABOLA en dos sites. Aparecen como vulnerables y no hay actualización. Me sugieren que lo delete. Es obvio que no quiero cambiar de tema. Cual es la solución?

I have the PARABOLA theme on two sites. They appear as vulnerable and there is no update. I am suggested to delete it. Obviously I don’t want to change the theme. What is the solution?

Website: celpebrasnapratica.com

[aphurford]

When I set header image rather than banner image the whole site looses functionality, the slider image on the landing page is duplicated vertically and a blue hue covers everything below it. Very weird. Any idea what’s going on or how to fix it? I have multiple images uploaded to the site identity header media that I have set as randomly selected. If I select just one of those instead it still creates the same problem when I set slider image to header rather than banner… I’ve currently got it set to banner to prevent viewers finding a dysfunctional site.

[ammar77]

Hello,

For some reason, the navigation menu names in my footer are highlighted in yellow. I’ve tried to remove the highlight, but I can’t find the option to do so. I would greatly appreciate any help. Here is the link to the website in question: https://www.badr.ca/

Thank you so much!

[magnus]

I thank you very much for the information. I was a little worried when it was quiet from you, but now I can relax a little.

I wish you all at Cryout Creations a nice weekend.

[Zed]

Hi everyone and sorry about the delay with a clarification.

As the warning message displayed by the security plugin itself reads,
this makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages

Due to sub-optimal/missing sanitization to the get_the_author() calls used by the theme, this issue can affect (larger) websites if rogue registered users (contributor/editor levels and above are needed) decide to insert unwanted content in their user name fields.

 

Personally, I find it weird that it’s the theme’s responsibility for sanitizing this data since it’s a core WordPress function returning database-stored content. If that field is not expected to store advanced HTML markup then WordPress should perform the proper level of sanitization/filtering on save.

To be clear, the theme does not handle any saving or input processing for this data, it only displays whatever WordPress already has saved in the database for the user name field, which has passed WordPress existing sanitization rules when that data was saved through the dashboard by users with sufficient permissions on the site.

 

This code has been in our themes in the same or very similar form since their launch (starting with Mantra back in 2009) and we have yet to have any kind of reports about XSS exploits through this route – frankly, if a rogue registered user with sufficient access decides to embed bad content on the site, the user name field is the least of your worries (and most likely not the first target).

This is only now popping up now because a security tester bulk reported the insufficient sanitization to patchstack.com (a large vulnerabilities testing/disclosing database which also offers paid security services), and several security plugins are taking inspiration for their lists of things to monitor from there.

 

Regardless of circumstances, we’ll be hardening the sanitization around the several get_the_author() function calls used in our themes, but since this issue is considered low severity/priority even by the patchstack.com report, we’ll be addressing it in the regular¹ theme updates cycle as we get to them¹ – for example, the correction is already present in the Bravada 1.1.3 update released yesterday.

¹ Mr. Kay had a different plan so you may already notice updates out there addressing this.

 

Status update: As of January 24th 2025, all our themes received updates to harden sanitization on author name output function calls.

 

PS: I’ve split this topic from the original post as that one was about mixed http/https content in the page, which is a different matter.

• This reply was modified 1 year ago by Zed. Reason: updated for updates status
• This reply was modified 1 year ago by Zed. Reason: status update

---

If you like our creations, help us share by rating them on WordPress.org.
Please check the available documentation and search the forums before starting a topic.

[magnus]

I am also concerned about the complete silence from Cryout Creatrions.

This message appeared on several of my web pages several weeks ago:

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API to create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.

I have been using the Tempera theme for about 10 years and one of my web pages is really big with over 1000 posts and almost 1000 pages and there is about 33000 images. So it would be a realy big job to change the theme.

Website: www.hojresor.se

[bedard5115]

More information. Please let me know if there’s a fix. Jetpack’s fix is to remove the mantra plug-in.

Themes Vulnerabilities
Mantra <= 3.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Mantra theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Themes
mantra
No known fix
References
CVE
CVE-2024-44056
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ced6450a-7d5a-4091-8181-98c005e74346
Classification
Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)
Miscellaneous
Original Researcher
stealthcopter
Verified
No
WPVDB ID
bf10fd17-849d-404a-8da4-ad633e048c24
Timeline
Publicly Published
2024-08-29 (about 9 days ago)
Added
2024-09-05 (about 1 days ago)
Last Updated
2024-09-05 (about 1 days ago)

[bassicsax]

FYI, I did get a reply from Kay to my Priority Support request. (I should mention it came in a day after I sent the request, I just didn’t see it.) It reads:

Thanks a lot for the info, we’re in the processing of addressing that for a future theme update.
Thanks again and have a great day!

If we can helping you further, please reply to this email or create a new ticket.
Kay, Cryout Creations

OK, so this gives me reason to hope. I have to say, the Bravada theme and Plus themes I use have been updated over the last 6 or so months.

I am guessing CC had some personnel reductions? IDK, but at least we have reasons to be optimistic, b/c like so many of you, I am not a developer. I just have my own sites, and those of clients. If I did have to switch, I couldn’t pass that cost on in a way that would truly off-set the time I would have to spend on such an enormous job.

• This reply was modified 1 year ago by bassicsax.

[Rocky Trifari]

Agreed, we have been left with very little choice. In my case, thankfully, I am not yet encountering any errors or incompatibilities with my theme (at least, nothing major that I can’t work around) which is pretty wild considering it has been OVER 2 YEARS since the last update. At this point, my main concern is keeping up with security patches and code best practices, areas where all of us are objectively falling behind by continuing to use code that’s not being monitored or updated.

I suppose it would be smart for us to get ahead of some catastrophic failure by beginning to look elsewhere or in my case, potentially find someone to hire to help reconstruct everything.

[Rocky Trifari]

Hi, I do not believe these forums are still being checked, unfortunately. I would not anticipate any updates, at least… anytime soon, if ever.

[lynnvr]

Aha, I am glad I am not the only one having troubles. Unfortunately, I am not a developer, only manage a few sites (free) for clubs/associations of which I am a member and for myself. Since the latest php and wordpress updates, I have been having problems with plug ins that have always worked (ninja forms, Stripe payments in Events manager, etc.). Their managers say it is not a problem with the plugin, probably with my theme (parabola) compatibility. What to do if no replies? Sigh…

Website: www.sterrenwacht-gv.nl

• This reply was modified 1 year ago by lynnvr.

[magnus]

I got this message for several days now. What should I do about it?

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API to create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.

[xofmedia]

I’m not sure how old this problem is but I filed a couple support tickets and haven’t heard back. I’m running Fluida Plus now but this problem is also on Septera Plus for other sites I use the themes for.

I found this previous post:
https://www.cryoutcreations.eu/forums/t/comment-counter-on-blog-page

This seems to confirm Cryout Creations are aware of the issue in August 2023, but it’s now 2024 and no fix… Is support dropping?

I used this fix by just adding some css (style.css):

/* Removes itemprop=”discussionURL” */
.comments-link {
visibility: hidden;
}

This seems to remove the problem areas for me while leaving the comments themselves on and the comments count in place for thumbnails (ie: related posts). Temporary fix I’m hoping.

Website: xofmedia.com

[tdbask]

How can I add this functionality to the Tempera theme?

“In Bravada 1.0.7.1 we’ve adjusted this functionality slightly to limit the previous/next post links from the same (main) category (if it exists) as the post being viewed.”