Incorrect theme info displayed for custom/third-party themes that share same name as theme in .org repo

[mgozdis]

Quick summary

We recently migrated a site in that was using a third-party theme from Themify called Parallax as the parent theme. This shares the same theme name as the following .org theme: https://wordpress.org/themes/parallax/

Under Appearance > Themes > My Themes and then clicking the theme info, rather than returning the info from the theme that's installed, it is returning incorrect info from the .org repo instead. Here is a screenshot of the incorrect theme info for reference:

Here is a screenshot of the correct theme info on the source site:

Steps to reproduce

1. Create or install a custom/third-party theme that shares the same name as a .org theme
2. Check Appearance > Themes > My Themes and see the correct screenshot and theme info displayed
3. Click Info for the theme and see the incorrect info displayed

What you expected to happen

The theme info from the installed theme should be displayed

What actually happened

Incorrect info from the .org theme repo for a different theme with the same name is displayed instead.

Impact

Some (< 50%)

Available workarounds?

Yes -- in the theme's style.css, add the Update URI theme header and set it to a non-.org URI, as indicated below. You can also use Update URI: false to effectively disable update checks.

Platform (Simple and/or Atomic)

Atomic

Logs or notes

No response

[liviopv]

📌 REPRODUCTION RESULTS

• Tested on Atomic – Uncertain
• Replicable outside of Dotcom – Uncertain

📌 ACTIONS

• Requested author feedback

📌 Message to Author
@mgozdis can you export a copy of the theme from the source site and share it with us so we can test it on a different site/environment?

[mgozdis]

@liviopv Here is a lightweight test theme as an example. This also causes issues in Default view where the correct screenshot/info is displayed, but it checks for updates from the .org repo and incorrectly states there is an update available. Auto-updates may potentially overwrite the theme, but that's not been fully tested. Manually updating does overwrite the theme with the wrong theme from .org repo.

This update issue also happens on self-hosted installs, so it appears to be a core issue where the .org repo is always checked for updates. This is likely an edge case for developers and third-party theme creators that may create a theme with the same name as an existing theme in .org repo, but never submit their theme to the repo to know.
parallax.zip

[rickmgithub]

📌 REPRODUCTION RESULTS

• Tested on Atomic – Replicated

📌 FINDINGS/SCREENSHOTS/VIDEO

1. Download the theme file shared by @mgozdis above
2. Manually install the theme on the site. Do not press any update buttons just let it install
3. Notice how it's showing basic information, saying its out of date, etc
4. Now go to update the theme and notice how it's not updating "this" theme but referencing the theme with the same name on the WordPress.org directory which is a different theme.
5. It now overwrites the theme we created with the one of the .org directory

So it is comparing the theme being uploaded with the .org directory because they have the same name.

📌 ACTIONS

Triaged

[mgozdis]

I'll note that I can see this potentially being used as an "attack vector" against 3rd-party premium/paid themes that do not exist in the .org repo.

1. Find popular themes on Envato/ThemeForest that do not exist in .org repo
2. Create themes with the same names and submit to .org repo with higher versioning
3. Wait for sites to auto-update the theme or manually update the theme, which will install your theme instead
4. Profit?

[i11za]

Another user report here: 8235996-zd-a8c

Chateau theme.

[github-actions]

Support References

This comment is automatically generated. Please do not edit it.

• 8235996-zen

[mrfoxtalbot]

This is happening too when a third-party theme has the same name as one of dotcom's retired themes.
More context in: p1716735482335059-slack-C03TY6J1A

[annezazu]

Heads up to @scruffian as you work to untangling themes here. @ryelle in particular as you have so much experience with these repos on the WordPress.org side!

[ryelle]

It is expected that core will show the update for the wporg theme. Generally custom theme names should be unique to the site they're used on, though 3rd party themes can be an issue. Ideally, the Themify folks would know this is an issue, and set the Update URI header to disable the core update feature in their themes.

As for the “attack vector” idea — since this is how core works, the wporg theme directory does not allow submissions with “popular” theme names, so you could not create something called avada or betheme, etc. In fact, the wporg theme Parallax was almost certainly created before the Themify one (the wporg one was made in 2013, and I don't know about Themify but since it's a block theme I assume it's newer 😁).

The wrong theme showing up in Calypso is definitely a bug though, it should have been getting that info from the site itself. The work to untangle calypso & wp-admin #95651 should fix this by default, since it will involve sunsetting that calypso page in favor of the wp-admin one. I'll attach this issue to the parent untangling issue though, so we can remember to test that case later.

[ironprogrammer]

Thank you for the analysis, @ryelle! I've tested the Update URI header workaround you indicated (applied to @mgozdis's example), and updated the issue description to include this guidance.

Screenshot of example theme details modal with Update URI applied -- no updates indicated:

[mgozdis]

We are getting some recent reports where old symlinked themes sharing the same slug with themes in .org are being replaced on user's sites with the incorrect theme from .org. It's breaking their sites and there is nothing in the audit trail showing the theme updated, however wp-cli and various other internal dashboards show an update available, while the update is only for the theme on .org.

So far, we've seen it affect sites with these retired symlinked themes:

• corporate
• radiate

I'll check with others to see if something happened on a platform level, but updating here since it's directly related to the same behavior of how core pulls everything from .org based on the slug.