Skip to content

Fix child theme name logged when parent theme is updated #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Fix child theme name logged when parent theme is updated #37

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Dec 9, 2025
edited
Loading

When a parent theme is updated while a child theme is active, the plugin incorrectly logs the child theme name instead of the parent theme name.

Root Cause

WordPress WP_Theme magic properties ($theme->name, $theme->version) can return child theme values when accessing a parent theme object due to theme hierarchy caching.

Changes

  • Use explicit get() methods instead of magic properties when retrieving theme info
  • Add wp_clean_themes_cache() before retrieving theme info during updates (already present for installs)
// Before
$theme   = wp_get_theme( $slug );
$name    = $theme->name;
$version = $theme->version;

// After
wp_clean_themes_cache();
$theme   = wp_get_theme( $slug );
$name    = $theme->get( 'Name' );
$version = $theme->get( 'Version' );

The get() methods read directly from the theme's style.css headers, bypassing hierarchy merging.

Original prompt

This section details on the original issue you should resolve

<issue_title>Theme update when a child theme is active</issue_title>
<issue_description>It seems to record that the child theme is updated (auto-update) when in fact the parent theme is updated. The name of the child theme is said to have been updated - kind of scary to see as the child theme may contain custom code.</issue_description>

Comments on the Issue (you are @copilot in this section)

@JJJ I see what you mean. Milestoning to 2.4.0.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI self-assigned this Dec 9, 2025
Copilot AI assigned JJJ Dec 9, 2025
Copilot AI changed the title [WIP] Fix theme update reporting for child themes Fix child theme name logged when parent theme is updated Dec 9, 2025
Copilot AI requested a review from JJJ December 9, 2025 03:23
@JJJ JJJ requested a review from Copilot December 9, 2025 03:40
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug where the child theme name was incorrectly logged when a parent theme was updated while a child theme was active.

Key Changes:

  • Replaced WordPress WP_Theme magic properties ($theme->name, $theme->version) with explicit get() methods to read directly from theme headers
  • Added wp_clean_themes_cache() call before retrieving theme info during updates to ensure fresh data
Comments suppressed due to low confidence (2)

wp-user-activity/includes/actions/class-action-themes.php:375

  • The value in object_name is taken directly from $theme->get( 'Name' ), which ultimately reads the Name header from the theme's style.css without any sanitization, and is later rendered as HTML via wp_get_user_activity_action() and wp_user_activity_manage_custom_column_data() without escaping. A theme author (or attacker controlling a theme package) can set a malicious theme name containing HTML/JS (e.g. a <script> tag), leading to stored XSS in the Activity admin screen and any other place the action string is displayed. To mitigate this, sanitize or escape the theme name before saving or outputting it (for example, use sanitize_text_field() before passing into wp_insert_user_activity, or wrap object_name in esc_html() when building the activity message).
			wp_insert_user_activity( array(
				'object_type'    => $this->object_type,
				'object_subtype' => $version,
				'object_name'    => $name,
				'action'         => 'install'

wp-user-activity/includes/actions/class-action-themes.php:409

  • As in the install path, object_name here is populated from $theme->get( 'Name' ) (unsanitized theme header data) and later interpolated into an HTML string that is echoed without escaping in the Activity UI. A malicious theme with a crafted Name header containing HTML/JS can therefore trigger stored XSS whenever the corresponding update activity is viewed. Consider normalizing or escaping the theme name before persisting or rendering it (e.g., sanitize_text_field() before saving to meta, or esc_html() at output time) to prevent HTML injection.
				wp_insert_user_activity( array(
					'object_type'    => $this->object_type,
					'object_subtype' => $version,
					'object_name'    => $name,
					'action'         => 'update'

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@JJJ JJJ JJJ approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@JJJ JJJ

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Theme update when a child theme is active

2 participants

@JJJ