While the bug has been patched and an advisory released for it, I also took the time to do some informal research to gauge the scope of last month's XSS vulnerability .
I started scanning six weeks after the patch release. Therefore it is probably safe that results are representative of those who will patch their systems. Due to the continuing changes in the Google web API, I chose Bing over Google as my search-engine of choice. After searching and using a couple techniques to increase the number of results, I ended up with a list of 1110 different sites running the theme. These were scanned and fingerprinted. Of the 926 systems running standard configurations, here is the version breakdown.
Version - Systems:
2.0.5 - 4
2.9.3 - 1
3.0.1 - 12
3.0.2 - 123
3.0.3 - 10
3.0.4 - 55
3.0.5.1 - 26
3.0.5.2 - 23
3.0.5.3 - 120
3.0.5.4 - 145
3.1 - 406
3.1.2 - 9
3.1.3 - 77
3.1.4 - 162
3.1.5 - 129
No statistical model fit the data. However, one fact is obvious. Patch rates for old versions do not look good. Over two-thirds of the systems running Classipress are vulnerable. Specifically, manually copying patch files tends to intimidate the non-technical audience that products like Wordpress attract.
While looking up a list of version numbers on the AppThemes website I found a nice surprise. AppThemes just explained that version 3.1.5 (which contained the patch) also contained an auto-updater behind the scenes. Manually copying patch files tends to intimidate the non-technical audience that products like Wordpress attract. Companies that pay attention to their customers' needs are appreciated. Thanks, guys!
