We have recently been notified of the following vulnerabilities in Salient Core and Shortcodes.
Please let me know when a patched version will be available for update.
Salient Core <= 2.0.7 - Authenticated (Contributor+) Local File Inclusion via Shortcode The Salient Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.7 via the 'nectar_icon' shortcode 'icon_linea' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Salient Shortcodes <= 1.5.3 - Authenticated (Contributor+) Local File Inclusion via Shortcode The Salient Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.3 via the 'icon' shortcode 'image' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. This record contains material that is subject to copyright. Date: 17.04.2024 | Source: Wordfence
My Salient core shows it is 2.0.5. Should I update with a new version of Salient? It doesn't show that it needs to be updated. Salient version is 16.1.2.
The current version is 16.2.2 so if it does not show any notification to update you can download the update zip file from Themeforest and upload. Please refer to this guide on ways you can update the theme: https://themenectar.com/docs/salient/updating-salient/
Also, ensure to have the Envato Market Plugin installed to receive the update notifications when we release any update.
Hello,
We have recently been notified of the following vulnerabilities in Salient Core and Shortcodes.
Please let me know when a patched version will be available for update.
Salient Core <= 2.0.7 - Authenticated (Contributor+) Local File Inclusion via Shortcode
The Salient Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.7 via the 'nectar_icon' shortcode 'icon_linea' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Salient Shortcodes <= 1.5.3 - Authenticated (Contributor+) Local File Inclusion via Shortcode
Thank youThe Salient Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.3 via the 'icon' shortcode 'image' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
This record contains material that is subject to copyright.
Date: 17.04.2024 | Source: Wordfence
Hey Again,
These have been fixed: https://themenectar.com/changelogs/salient.html#:~:text=Updated%20Salient%20Core%20plugin%20to%20v2.0.8 ?.
Thanks.
ThemeNectar Support Team
My Salient core shows it is 2.0.5. Should I update with a new version of Salient? It doesn't show that it needs to be updated. Salient version is 16.1.2.
Hi Rob,
Thanks for writing back.
The current version is 16.2.2 so if it does not show any notification to update you can download the update zip file from Themeforest and upload. Please refer to this guide on ways you can update the theme: https://themenectar.com/docs/salient/updating-salient/
Also, ensure to have the Envato Market Plugin installed to receive the update notifications when we release any update.
Please let us know how this goes.