CVE-2016-10953: Headway 3.8.9 Patches Potential XSS Vulnerability

If you noticed an update for Headway, it’s not your mind playing tricks. Late last week, Headway Themes released version 3.8.9 to patch a potential security vulnerability involving the license key field. The vulnerability was discovered and reported to Sucuri by Gary Bairéad, a former Headway Themes employee.

At the time of writing, the company has not publicly announced the availability of 3.8.9 to customers. The update comes more than a month since founders Grant and Clay Griffiths issued an apology for the lack of customer support and communication.

Lack of Communication and Support Continues

Since the apology was published, the company’s blog and social media accounts have remained silent. Bairéad continues to use his site to update the public on the status of Headway Themes. In his most recent post, Bairéad published a number of screenshots that show the company is still not providing the level of support advertised on its site.

One Month Progress Report

I reached out to Grant and Clay Griffiths to find out what progress they’ve made on providing “a first level of support service” as mentioned in the apology, what steps they’ve taken to rebuild the business, and if they have any comments on Bairéad’s article.

“Support is being provided and updates have been and will continue to be pushed,” Grant said. “We are also in contact with Influx to further improve our support,” Clay said.

Influx provides customer support for companies, including those in the WordPress ecosystem such as Advanced Custom Fields. Influx has elastic pricing allowing companies to pay for the amount of support they need. Prices start at $199 per month and increase as the number of responses increases.

While the Griffiths did not recognize unpaid staff in their apology, former employees have since received partial payments of the money they are owed.

Community Is Optimistic About Headway Fork

While the future of Headway Themes and its product remain in limbo, many in the community are optimistically supporting a fork called Blox Builder. Blox is a fork of Headway 3.8.8 created by Maarten Schraven that is 100% GPL licensed.

Headway is Not 100% GPL

According to Headway Theme’s terms of service, “All WordPress themes produced by Headway Themes, LLC are released under the GPL version 2.0 license.”

A key difference between Blox and Headway is that Blox doesn’t use Redactor.js, a WYSISWYG editor. The script is $199 and its license agreement makes it incompatible with the GPL.

Upfront, a product created by WPMU Dev launched with Redactor.js. In the launch post, James Farmer, founder and CEO of WPMU Dev, confirmed that everything in Upfront is GPL except for Redactor, “Everything in Upfront is currently 100% GPL, with that exception, as they won’t let us… we’ve asked,” he said.

At best, Headway is split-licensed but there is no verbiage on the site that informs customers. Considering Clay is a co-owner of a WordPress business that sells a product that is not 100% GPL, should he be able to sponsor WordCamps advertising Pressmatic? According to the WordCamp organizer handbook, no.

If users and customers want to support a 100% GPL product that’s actively developed, check out the community-driven fork. Blox recently came to a consensus on pricing and are offering a 40% discount with three months of extra support and updates for former Headway customers.