Critical Update For WooThemes Customers

As if WooThemes.com being attacked was not bad enough, there is also a critical security issue that’s been fixed in the latest release of the WooFramework. The issue dealt with the shortcode generator.

The latest version (and most likely many previous versions) of the WooThemes WooFramework has a bug that allows any website visitor to run and see the output of any shortcode. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.

While the Gist author for that post took some heat for releasing the information the way that he did, others chimed in and stated the vulnerability should have never existed in the first place. According to Jason Gill who is a WooThemes paying customer and also the one who announced the vulnerability on the Gist website explained that he made every effort to try and contact WooThemes or at least, see if the patch was already in existence but was unsuccessful.

While at the time of writing this article WooThemes.com is offline, I advise you to check back often to update your themes as soon as possible.

5 Comments


  1. Jeffro,

    I can confirm that this issue has been patched.

    If WooThemes users are looking to patch their WooFramework during our unfortunate current downtime, we have a process that takes a few quick steps to patch the code.

    Our ninjas are on hand to assist in applying this patch as well. To get in touch with us during our downtime, please e-mail techsupport [at] woothemes.com.

    Our sincerest apologies for the inconvenience caused here.

    Report


  2. Here is their status: http://wpengine.wordpress.com/

    Very tough for the guys at Woo. I do agree with Jason a bit. I didn’t agree with the method but the way the update was announced was not right either.

    Report


  3. Woo themes have definitely dropped the ball here. When programming, making sure that authentication is working appropriately is the most basic form of security testing and they didn’t do a very good job it would seem.

    Report


  4. @Stephen. I am not sure why these guys are targeted though. I think where Woo Themes dropped the ball was when they decided to just not make a big deal out of the update. They treated it as if it was a small update which it was not.

    I like the guys at Woo. Let’s hope they pay more attention to security in the future. And let’s hope the folks targeting them with DDoS attacks get a life.

    Report


  5. “let’s hope the folks targeting them with DDoS attacks get a life”

    In the last 4 months we’ve had 3 ddos attacks against WordPress people who don’t align with Matt’s vision. The horse has bolted. Condemning the horse and not the people who opened the door is not going to help anyone

    Report

Comments are closed.