Support Center Visit Demo License manager Buy @ envato

Demo Data is introducing a security vulnerability

mudminmudmin
in General info & installation
When I do a fresh install of WP and install your latest Betheme, there is no uploads folder. When I activate Visual composer, there is no uploads folder. 

However, when I install the demo data, it creates a wp-content/uploads/js_composer folder with 777 permissions.

This is kind of a big deal and probably needs to be fixed. 

Comments

  • mudminmudmin
    It's coming in a few minutes after everything is installed. I'm guessing Visual Composer is pulling it in, but either way, it's a 777 directory by this system
  • AlbertAlbert
    Hi,

    these permissions are set by plugin. Our theme does not have any impact on it so there is nothing what we can do in this case. If you don't like it, you supposed to use our builder instead.

    Thanks!
    Learn more: Video Tutorials | How To | FAQ Vote on what comes next
  • mudminmudmin
    I know that you guys aren't the creators of Visual Composer, but you do include it in your system and even go as far as to flash notices that the plugin is "Required." 

    I think that gives you an obligation to at least warnthe people who pay you for the template of a vulnerability you're introducing or work with Visual Composer (who you have some sort of financial arrangement with) to fix a simple permission issue.

    I don't really think that's too much to ask.  Expecting your customers to go through every folder and double check the permissions, especially ones that appear a few minutes after installing your product is kind of a bridge too far.
  • AlbertAlbert
    We don't know where you read this but this plugin is not required. We always suggest to use our Muffin Builder tool which is much better in use and we can be responsible for all it's settings and options. But for VC, we can't be unfortunately because it's only plugin. So basically we give a choice. If you want to use VC, then you must agree with it's settings. But if you don't like it, just use our Muffin Builder instead because VC plugin is not required for sure and you must misunderstood something.
    Learn more: Video Tutorials | How To | FAQ Vote on what comes next
Sign In or Register to comment.