I’m writing to formally report critical security vulnerabilities identified in two plugins that are required dependencies of the Salient theme and currently installed on our site.
The affected plugins are:
Salient Core (version 3.0.8)
Vulnerability: Broken Access Control
Discovered by: João Pedro S Alcântara (Kinorth)
Affected versions: ≤ 3.0.8
Salient Shortcodes (version 1.5.4)
Vulnerability: Cross Site Scripting (XSS)
Discovered by: João Pedro S Alcântara (Kinorth)
Affected versions: ≤ 1.5.4
At present, both Salient Core and Salient Shortcodes cannot be updated, as no patched versions are available through the theme or plugin update mechanism. This leaves known, publicly disclosed vulnerabilities active with no official remediation path.
These vulnerabilities have been flagged by our hosting provider’s security tooling and corroborated through independent security sources. Our host is Hostinger (premium plan), and we are working with a dedicated cyber security specialist. The recommendation from the host is to deactivate and delete both plugins, however this is not feasible as they are tightly coupled to the Salient theme and required for core site functionality.
At present, neither plugin offers an update path, which leaves us in a position where:
Known vulnerabilities are active on a production site
The plugins cannot be safely removed
There is no available patch or mitigation guidance from the theme author we also can
Given the severity of the issues (Broken Access Control and XSS), this presents a significant security risk, including potential unauthorised access and exploitation across the site.
We urgently request the following:
Confirmation that you are aware of these vulnerabilities
A clear timeline for patched plugin releases
Immediate mitigation steps we can apply in the interim
Clarification on why these versions remain distributed if they contain known vulnerabilities
Please note we have updated the theme to the latest version but those two items still show vulnerabilities
Please treat this as a priority security issue. We have invested significant time and resources into building on Salient and need assurance that this is being actively addressed.
The current version of the theme is v18.0.2 and the current version of the Salient WPBakery to v8.6.1 . Salient versions older than v11 won't be compatible with WordPress 5.5.
Hi Salient Support Team,
I’m writing to formally report critical security vulnerabilities identified in two plugins that are required dependencies of the Salient theme and currently installed on our site.
The affected plugins are:
At present, both Salient Core and Salient Shortcodes cannot be updated, as no patched versions are available through the theme or plugin update mechanism. This leaves known, publicly disclosed vulnerabilities active with no official remediation path.
These vulnerabilities have been flagged by our hosting provider’s security tooling and corroborated through independent security sources. Our host is Hostinger (premium plan), and we are working with a dedicated cyber security specialist. The recommendation from the host is to deactivate and delete both plugins, however this is not feasible as they are tightly coupled to the Salient theme and required for core site functionality.
At present, neither plugin offers an update path, which leaves us in a position where:
Given the severity of the issues (Broken Access Control and XSS), this presents a significant security risk, including potential unauthorised access and exploitation across the site.
We urgently request the following:
Please note we have updated the theme to the latest version but those two items still show vulnerabilities
Please treat this as a priority security issue. We have invested significant time and resources into building on Salient and need assurance that this is being actively addressed.
We look forward to your urgent response.
regards, Wes
Hi Again,
Thanks for reaching out! .
Please view: https://themenectar.com/changelogs/salient.html#:~:text=Required%20Plugins-,Salient%20Core,-3.1.2
and update to the Latest Salient Theme Version.
The current version of the theme is v18.0.2 and the current version of the Salient WPBakery to v8.6.1 . Salient versions older than v11 won't be compatible with WordPress 5.5.
Here's the documentation on the available methods for updating Salient: http://themenectar.com/docs/salient/updating-salient/#methods
To get a list of Bug Fixes and new Feature addons in the Latest Theme updates view change log here http://themenectar.com/changelogs/salient.html .
Best.
Salient Support Team