Demo Data is introducing a security vulnerability

When I do a fresh install of WP and install your latest Betheme, there is no uploads folder. When I activate Visual composer, there is no uploads folder. 

However, when I install the demo data, it creates a wp-content/uploads/js_composer folder with 777 permissions.

This is kind of a big deal and probably needs to be fixed. 

Comments

  • It's coming in a few minutes after everything is installed. I'm guessing Visual Composer is pulling it in, but either way, it's a 777 directory by this system
  • Hi,

    these permissions are set by plugin. Our theme does not have any impact on it so there is nothing what we can do in this case. If you don't like it, you supposed to use our builder instead.

    Thanks!
  • I know that you guys aren't the creators of Visual Composer, but you do include it in your system and even go as far as to flash notices that the plugin is "Required." 

    I think that gives you an obligation to at least warnthe people who pay you for the template of a vulnerability you're introducing or work with Visual Composer (who you have some sort of financial arrangement with) to fix a simple permission issue.

    I don't really think that's too much to ask.  Expecting your customers to go through every folder and double check the permissions, especially ones that appear a few minutes after installing your product is kind of a bridge too far.
  • We don't know where you read this but this plugin is not required. We always suggest to use our Muffin Builder tool which is much better in use and we can be responsible for all it's settings and options. But for VC, we can't be unfortunately because it's only plugin. So basically we give a choice. If you want to use VC, then you must agree with it's settings. But if you don't like it, just use our Muffin Builder instead because VC plugin is not required for sure and you must misunderstood something.
Sign In or Register to comment.