DeepBlue is very nice

I noticed the article you linked to seems a bit late to the party ( well over a year old ), and while svn may still contain files, I don’t think that theme has been available here in the Theme Directory for general download for some time now. Trac history is here if you like – https://themes.trac.www.ads-software.com/ticket/5598 – assuming of course we’re talking about the same theme. ??

True, that blog post is from last year. (I wrote it.) I didn’t think about linking to it here until I got a comment on my blog post recently.

Look at the theme stats: https://www.ads-software.com/themes/deepblue/stats/
It’s been downloaded 60+ times this last week alone.

This theme should really be removed from the directory. I think it is criminally negligent for theme developers to not remove a theme with known vulnerabilities. How many hundreds or thousands of times has this theme been installed since the vulnerability discovered? Fixing a hacked server is a huge pain.

It’s been downloaded 60+ times this last week alone.

I think you could be referencing the wrong theme (or maybe I am).

The theme I believe you might actually be concerned with:

A) (Deep Blue version 1.9.2.) https://themes.trac.www.ads-software.com/browser/deep-blue/

Author: MegaTheme Author URI: https://www.megathemes.com/

..And the theme you’ve referenced for the download stats:

B) (DeepBlue by Nathan Rice) https://themes.trac.www.ads-software.com/browser/deepblue/

Author: Nathan Rice for Daily Blog Tips

I believe they are two different themes with similar names, but I’ll leave it to you to browse the source code if you want to.

A) Is not available for general download from the Theme Directory, and by looking at the history, I can only guess that it might have been removed about 15 months ago and never reinstated (assuming I’m interpreting the history correctly).

B) Is old, and although it doesn’t appear to be searchable from the Theme Directory, it still seems accessible for download if someone really wanted it. It also has the usual compatibility issue warning banner being displayed at the top.

MY MISTAKE! This theme has the same name but is not the one with the vulnerability. APOLOGIES!

the theme with the vulnerability, is my theme, and it’s not available anymore for download on www.ads-software.com, it was removed 15 months ago indeed.

Funny, I can download it fine from:
https://themes.trac.www.ads-software.com/browser/deep-blue/1.9.2

Something should be posted there about the vulnerability and that it won’t be fixed, if it can’t be removed.

There needs to be communication from AliveThemes that Deep-Blue is vulnerable and should be deleted. Even if it isn’t the active theme, you can look in the themes folder for known vulnerable themes.

AliveThemes seemed to disappear and leave users hanging.

Why are you downloading via the theme SVN?

The point is the theme has a vulnerability, which is not mentioned or acknowledged anywhere.

I’m campaigning against theme developers that don’t behave responsibly and notify users of problems and vulnerabilities. It needs to be documented, so that it doesn’t lead to yet another hacked server.

The developer may be embarrassed, but is it more damaging to a reputation to do nothing at all, not to mention the trail of destruction left by easily hackable theme.

If you try searching for Deep-Blue via https://www.ads-software.com/themes/ you’ll see that it will not come up. That’s deliberate. It was withdrawn well over a year ago and the theme’s developer has never sought to update & re-submit it for review.

Please do not download themes via SVN unless you are part of the theme’ review team. Only download approved themes via https://www.ads-software.com/themes/

Wow, way to COMPLETELY MISS THE POINT. Like a pit bull dog with lockjaw, just grab on and don’t let go.

Theme developers have a RESPONSIBILITY to notify users if a theme is compromised. This developer disappeared and did not respond to anyone. This theme can still be found out on the internet. Yes, it was removed from the WordPress catalog. NOWHERE does it say there is a vulnerability. I posted about it, but it should be the developer, who has far more visibility.

It is understandable if the developer is embarrassed their theme was hacked, or if they are no longer able to continue to develop it. But hoping the problem will just ‘go away’ by doing nothing, rather than doing the right thing is disgraceful, irresponsible, and reprehensible.

Wow, way to COMPLETELY MISS THE POINT. Like a pit bull dog with lockjaw, just grab on and don’t let go.

( a little transference going on there, or what!? *GRIN* )

My guess would be that the point probably isn’t being lost on anyone. I think it’s evident that www.ads-software.com took action to remove the theme from the Directory as soon as it became clear that there were issues that placed the theme at odds with the normally acceptable standards.

My thoughts are, that in this unfortunate case of mistaken identity, you may have taken an opportunity to publicize a link to a related article on your own site in the hope that it might generate some enthusiasm for the post you originally linked to. There’s nothing wrong with that. You just got the wrong theme because the vulnerable one isn’t listed in the directory anymore. Mistakes happen, and you owned up to it.. But so did the theme developer, 6 posts ago.

While I agree that “iffy” themes with or without vulnerabilities are undesirable…

This theme can still be found out on the internet.

…www.ads-software.com doesn’t control what happens on the internet. It only controls www.ads-software.com. I would imagine that the theme developer may not actually control all of those other outlets either – but that’s just an assumption on my part.

This topic would make a great article for your blog if you’re still that fired up about it. More to the point though, find a way (beyond this discussion of course) to express your thoughts to the developer – who has already stepped up and explained that the theme isn’t available from www.ads-software.com any longer.

Just my thoughts, mind you. Not intended to be adversarial in nature, just observational.

Does removing the theme from www.ads-software.com help the people that ALREADY INSTALLED the theme to know there was a vulnerability?

The developer is responsible to make this information known. The only peep out of the developer in the last two+ years was 7 comments ago. Never EVER a peep that their theme was hackable. I had tried contacting the developer a while ago, and got no response.

Also, thanks for the insult about trying to drive traffic to my site over this. No good deed goes unpunished, I suppose. Not everyone is a member of the wretched hive of scum and villainy you seem to think they are. Y’know, just ‘observing’.