Patch for v2.7.28 to fix missing capability checks

[UPTimbo]

I'm getting alerts that the Unyson plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on several functions in versions up to, and including, 2.7.28. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions such as dismissing notices.

Is there a Patch in the works?

[twright6]

Ditto. Details: https://patchstack.com/database/vulnerability/unyson/wordpress-unyson-plugin-2-7-28-broken-access-control-vulnerability

Here's hoping there is still a development team associated with this product.

[lhberg]

Ditto, also from iThemes Vulnerability Report, https://ithemes.com/blog/wordpress-vulnerability-report-october-4-2023

200k+ installs and nobody cares? Looks like http://themefuse.com/ is out of business.

[clickbait]

Looks like http://themefuse.com/ is out of business.

i think it's more that they've abandoned all of their other projects to focus on brizy. which to me isn't really a good look for brizy.

[twright6]

Just sent an email to support@brizy.io asking them to check out the Unyson Github Issues area along with the two links listed here offering details on the vulnerability. No idea if they will respond, so far just an automated reply with the usual we will respond soon.

[twright6]

Received this reply a couple of hours ago:

Denis here from Brizy Support department. Thank you for contacting us. Thank you for your reporting this. I've reported this to the team, they will check this ASAP.

[DevMasterAGI]

Hello Everyone. I hope all is well.

I am also facing a similar issue. The company was formed in 2009 by Sergiu Bagrin, Dimi Baitanciuc, Bogdan Condurache, and Alex Luncasu. I have checked on LinkedIn and found Dimi Baitanciuc, Co-Founder at ThemeFuse/Unyson Framework. (https://www.crunchbase.com/person/dimi-baitanciuc) I sent him a message. If you want, you guys can reach him too if there is a delay and nobody works on this issue.

LinkedIn ID: https://ro.linkedin.com/in/dimi-baitanciuc-28b8a0122

[izac3d]

I am too bought a theme few years ago and now also notified about the security risk. It is really bad

[izac3d]

@UPTimbo If you can update the issue title to more descriptive words ?

[twright6]

So, my questions, should a/the dev actually decide to address our group are as follows: 1) what are the actual real-world risks associated with the identified vulnerability? 2) will there be an effort to address the vulnerability with an update and if so, how long is that expected to take?

While it is good to know we aren't all alone with the concern as users, it would be somewhat comforting to hear from the developers that there is a plan to resolve the matter.

[WebDragon]

1. what are the actual real-world risks associated with the identified vulnerability?

See description here at the Wordfence vulnerability report

[DevMasterAGI]

Received this reply a couple of hours ago:

Denis here from Brizy Support department. Thank you for contacting us. Thank you for your reporting this. I've reported this to the team, they will check this ASAP.

Hello @twright6 Did you receive any further replies from Brizy Support? I think nobody is working on it.

[twright6]

I've heard nothing further. That is exactly the samemessage I got to my initial email to them. Suspect we are on our own folks.

[WebDragon]

I've heard nothing further. That is exactly the same message I got to my initial email to them. Suspect we are on our own folks.

Have you tried replying to their reply to inquire about progress? Security issues are security issues and need dealing with quickly. Especially since it's reached the public reporting stage!

[izac3d]

I have personal site that not important at all but still get many attacks daily !!

[UPTimbo]

Just today this came in a notice from a Wordfence Alert: * The Plugin "Unyson" has been removed from wordpress.org but is still installed on your site. Plugin contains an unpatched security vulnerability.

Does this mean rather than working on a patch, they are abandoning the plugin?

[WebDragon]

Just today this came in a notice from a Wordfence Alert: * The Plugin "Unyson" has been removed from wordpress.org but is still installed on your site. Plugin contains an unpatched security vulnerability.

Does this mean rather than working on a patch, they are abandoning the plugin?

That typically happens when there is an unpatched vuln, to prevent people downloading it fresh until the issue is resolved. Hopefully devs are actively working on it

[izac3d]

Also new wordpress upgrades may cause the site to break. I wish my theme was not depend on it

[izac3d]

I tried now to disable the Unyson plugin and the site seems not affected. I will enable it only when I add or modify pages.

[WebDragon]

unfortunately I am unable to disable it on my client's site - stuff breaks all over the place

[UPTimbo]

Disabling Unyson totally ruins the look of my pages. I believe i would have to completely rebuild my site. I suppose that I should learn not to build pages using a plugin, because any one of them could pull the plug on their support, and I'd end up right back here once more.

[izac3d]

I was viewing a cashed version , me too if I disabled this plugin the site break;

[DevMasterAGI]

This is really annoying, first they let million of people use there product and then disappear, can anyone can patch the files? Can we bring someone else from outside and take his help? If anyone knows an expert who can help?

My website is useless without this framework

[DevMasterAGI]

I've heard nothing further. That is exactly the same message I got to my initial email to them. Suspect we are on our own folks.

Have you tried replying to their reply to inquire about progress? Security issues are security issues and need dealing with quickly. Especially since it's reached the public reporting stage!

@WebDragon It would be better if we all sent message to there support email. At least they will see many request coming in.

I think we all should email them,

[Toscky]

I warned the developer of my theme that he considers Unyson a necessary plugin. Unfortunately, my site was hacked yesterday and I believe they most likely entered through the Unyson plugin. Fortunately, I built my template with Visual Composer and i've disabled the plugin now.

[DevMasterAGI]

I warned the developer of my theme that he considers Unyson a necessary plugin. Unfortunately, my site was hacked yesterday and I believe they most likely entered through the Unyson plugin. Fortunately, I built my template with Visual Composer and i've disabled the plugin now.

@Toscky It's really bad to hear this. Which alternate framework did you use to build the template with Visual Composer?

Please help us too; how can we replace Unyson ourselves?

[izac3d]

I activated cloudflare Under Attack Mode. Does this help ?

[izac3d]

Maybe also disable access from visitors that use vpn because all hackers uses vpn or tor https://www.youtube.com/watch?v=5UdIn1_FoaM

[Toscky]

It's really bad to hear this. Which alternate framework did you use to build the template with Visual Composer?

Please help us too; how can we replace Unyson ourselves?

I warned the developer of my theme that he considers Unyson a necessary plugin. Unfortunately, my site was hacked yesterday and I believe they most likely entered through the Unyson plugin. Fortunately, I built my template with Visual Composer and i've disabled the plugin now.

@Toscky It's really bad to hear this. Which alternate framework did you use to build the template with Visual Composer?

Please help us too; how can we replace Unyson ourselves?

My theme was also compatible with Visual Composer, and fortunately the theme pages were built with Visual Composer, so I was able to disable the Unyson plugin. If you used Unyson as the main builder, you will inevitably have to rebuild the pages.

[twright6]

Reply to a second email received moments ago:

Your report is very important. Internal issue was created for the team last week. Issue is still in progress. Today I received reply from the team that developers plan to work on this issue this week. Once this will be fixed, I will let you know.

[WillMartM]

Reply to a second email received moments ago:

Your report is very important. Internal issue was created for the team last week. Issue is still in progress. Today I received reply from the team that developers plan to work on this issue this week. Once this will be fixed, I will let you know.

I'm curious ... Thanks for the info twright6 ;)

[ypesh]

Can we fix it ourselves? What is required?

[twright6]

Can we fix it ourselves? What is required?

Someone with an intimate knowledge of PHP, WordPress and security issues. I'm still hopeful the developer of the original project will speak up here soon and at least state their intentions.

[ypesh]

Just a long shot, but short of having to convert all pages to static html and turn off wordpress. I think we should try using ChatGPT to analyse the php code. I'm happy to look into this, and report back.

[clickbait]

the CVE details of the vulnerability aren't published yet, we would likely have to wait for them for the specifics on the vulnerability unless someone wants to comb through all the code and try to find where it is themselves.

the issue has however been marked as low priority on patchstack and someone above mentioned that the brizy team were looking at patching it this week.

[DevMasterAGI]

This week is almost over, and I think nobody is working on this issue. I don't know if there is any official announcement from the developers that they have started working on it.

The Google SEO algorithm punishes websites heavily for those who use vulnerable plugins or unsecured code.

[twright6]

I have emailed again asking that a developer address our group here. Since their website only offers this Github channel as a support source, one would think they would at least make a posting here with their intentions. If anyone else wishes to voice their concerns, the email address I have been using is: support@brizy.io and Denis is the person who has been responding. It does not sound like Denis is one of the developers. Wish I had more comforting news, but at this point I think a developer's response will be the only thing that offers any assurances for any of us. I understand that a fix may require time, but the simple polite effort of responding here with pertinent details would only require two minutes. This will be my final post on this matter, I will await a response on this channel from a developer along with the rest of you. Good luck gang.

[mutag]

Wondering... if the site doesn't allow anyone to create an account, is this a vulnerability?

"missing capability checks on several functions in versions up to, and including, 2.7.28. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions such as dismissing notices"

[DevMasterAGI]

@ViorelEremia Could you help us fix the Unyson [missing capability checks]? A lot of business losses are happening due to this issue. We have noticed you have been actively working on Brizy issues, and you have fixed Unyson bugs in the past as well. I look forward to your reply.

[clickbait]

Still no official response? Wouldn't recommend using Brizy long term then if this is the future of it.

[WebDragon]

Still no official response? Wouldn't recommend using Brizy long term then if this is the future of it.

It's an embarrassment - if they were going to abandon it, you would think they would at least come here and say so, so that we could make decisions now, instead of putting them off in the hopes they are going to fix the security hole.

And you're right -- if this is the state of things, it doesn't speak well for the future of any of their other projects, and I'm going to have to consider recommending our client move away from brizy as well

[WillMartM]

Since we certainly won't get an answer or help, can anyone suggest an alternative to Unyson?

I have an existing forum with the Unyson framework and when I want to use another one such as Elementor, the site no longer works.

Can someone give a tip please?

Thank you

[WebDragon]

Since we certainly won't get an answer or help, can anyone suggest an alternative to Unyson?

I have an existing forum with the Unyson framework and when I want to use another one such as Elementor, the site no longer works.

Can someone give a tip please?

Your only real alternative is set up a staging site with a copy of the live site (left live for reference) and disable unyson on the staging server, and then rebuild the pages using an alternative. Elementor if it's a complex site, Kadence Blocks if not. And when you're done, push the updated site live. We're facing that ourselves

[WillMartM]

Your only real alternative is set up a staging site with a copy of the live site (left live for reference) and disable unyson on the staging server, and then rebuild the pages using an alternative. Elementor if it's a complex site, Kadence Blocks if not. And when you're done, push the updated site live. We're facing that ourselves

OK all clear. Thank you for this information or help.

[yura-x]

I have contributed to this great plugin several times from my personal and corporate account. It is very sad that nobody maintain it now. It has the best custom fields system for any custom post type and the best Customizer options system. Also demo content and backup extension is also the best - all IDs are in the place after installation.

@ViorelEremia , can you please at least confirm that your company have abandoned this great plugin so we could know for sure ?

Plugin is blocked in the official WP repository since 11s October: https://wordpress.org/plugins/unyson/

Please just let us know if your company has no plans to fix it ever. Thank you very much!

[clickbait]

I contacted Brizy support about a week ago and they replied saying that they are committed to resolving the issue but are unable to provide an estimate of when it will be resolved.

So there's potential there will be a fix eventually, but not sure whether there is any urgency to release it.

[Scottzozer]

Commenting so I can stay in the loop, use the Kerge theme to build my personal portfolio site so not sure the security issue will affect me as I do not allow anyone to create accounts with my site.

It does make me question what page building plugin makes the most sense that something this popular can just die off into the ether of the web.

[MwTechSupport]

Hello, Dear Friends!

As temporary measures for protection, you may perform the following steps:

1. Disable User Registrations in WordPress. Go to Settings → General in your WordPress dashboard. Look for the option that reads Anyone can register and deselect it. After you disable the setting, save your changes. If you have a user registration link in your site's main navigation menu, remember to remove it as well.
2. Install this security plugin: https://wordpress.org/plugins/block-bad-queries/ It blocks a wide range of malicious URL requests.
3. Connect your website to CDN CLoudflare. Machine learning adds powerful rulesets that stop threats including newly discovered "zero days", as well as bypasses and attack variations. With custom rules you can configure your WAF to protect against any threat or implement business-specific policies. Since zero-day threats are hard to detect and the security landscape is constantly changing, a Managed Ruleset helps protect against these vulnerabilities. Cloudflare regularly updates Managed Rulesets to provide ongoing protection.

All these steps will significantly improve your website security.

Best Regards!

[baturkacamak]

If I knew where it actually happens, I could have created a patch for this. Is there a way to view where it happens?

[WebDragon]

2.7.29 was just released, solely to add the version bump, and these following lines to the readme file :

+= How can I report security bugs? =
+
+You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team help validate, triage and handle any security vulnerabilities. [Report a security vulnerability.](https://patchstack.com/database/vdp/unyson)

Yes, we know. https://patchstack.com/database/vulnerability/unyson/wordpress-unyson-plugin-2-7-28-broken-access-control-vulnerability How about you fix this, then?

[clickbait]

they have released a fix 🎉