Has anyone here had any experience with FlexiThemes?


(Not an affiliate link, don't worry.)

I like their themes (simple, functional and attractive). However, they're not a well-known company. So I want to make sure their themes are clean and contain no malware. They are listed as a GPL-compliant theme provider on WordPress.org, but I don't know if there is any vetting there.

I did notice a couple of base64 commands in their themes, but those appear to just be for encoding and decoding export and import of theme settings (when you want to export your settings and bring them into another instance of the theme on another WordPress installation).

That code:

if($do == 'export') {
echo '<textarea class="fp-textarea" style="height:300px; margin-bottom:30px;">' . base64_encode(serialize(get_option($this->theme->theme_options_name))) . '</textarea>';
} elseif($do == 'import') {
$import_flexipanel_options = $_POST['import_flexipanel_options'];
$import_flexipanel_options = unserialize(base64_decode($import_flexipanel_options));
if(is_array($import_flexipanel_options)) {
update_option($this->theme->theme_options_name, $import_flexipanel_options);

I also ran Donncha's Exploit Scanner, and it flagged quite a few uses of "eval" (which of course is often a false positive). Random examples:

}return eval("("+string+")");}});Native.
return eval(rs);};var Fx=new Class({Implements:[Chain,Event
response = eval("(" + response + ")");

If anyone is familiar with these themes, or can give any feedback on the items mentioned above, it would be greatly appreciated. I don't have ready access to a security expert for the next couple of weeks.



  • drmike
    • DEV MAN’s Mascot

    Never seen them before. (edit: Wow, can't even find a torrent on them. That's surprising.) Gotta admit that I;m surprised that they're listed if they're encoding their php in any way. I always thought any encoding was a nono. GPL requires that folks get a copy of unencoded code with the encoded code.

    And I know that they say you can use the themes in any manner. I would drop them an email and ask them about their use on wpmu/ms installs. I've seen premium theme designers express their annoyance when they discover their themes on a ms/mu install. Even if GPL'ed.

  • wpcdn
    • Syntax Hero

    I don't know if the theme code is actually encoded. I haven't scoured every single file, but I haven't seen anything that actually looks like encoded PHP. I just noticed the base64 commands, but those do seem only to exist for encoding and decoding theme settings if the user choose to use the export and import settings function.

    I'll try to go over one of the themes with a fine-toothed comb to look for encoded PHP. Shouldn't it have a base64 or similar command?



Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.