Theme is vulnerable to Cross Site Scripting (XSS)

Hi – are you guys working to patch this? Are you aware of it? Wordfence, Patchstack, and other security plugins have flagged OnePress as a security risk. Here are the details:

“The OnePress theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.8 due to insufficient input sanitization and output escaping. “

“Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in FameThemes OnePress allows Stored XSS.This issue affects OnePress: from n/a through 2.3.8.”

Wordfence currently recommends uninstalling and finding a replacement. I don’t intend on doing that, but are you able to provide an eta on this?

Hi @alordiel ,
Hi @missvlikes ,

Our team working to update template now.

We will release new version to fix this soon. For this time please keep this template for your website.

Sorry because this issue and thank you for your patient.

This vulnerability was published on July 13th. That’s exactly 2 weeks ago – plenty of time for hackers to attack our websites while we are still witing for a patched version of this theme. Asking for even more patience is not what I’d expect from developers who take security seriously.

@boy8xnoname how’s the update going as this is still an issue.

Is there any update on this?