As if WooThemes.com being attacked was not bad enough, there is also a critical security issue that’s been fixed in the latest release of the WooFramework. The issue dealt with the shortcode generator.
The latest version (and most likely many previous versions) of the WooThemes WooFramework has a bug that allows any website visitor to run and see the output of any shortcode. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.
While the Gist author for that post took some heat for releasing the information the way that he did, others chimed in and stated the vulnerability should have never existed in the first place. According to Jason Gill who is a WooThemes paying customer and also the one who announced the vulnerability on the Gist website explained that he made every effort to try and contact WooThemes or at least, see if the patch was already in existence but was unsuccessful.
While at the time of writing this article WooThemes.com is offline, I advise you to check back often to update your themes as soon as possible.
Jeffro,
I can confirm that this issue has been patched.
If WooThemes users are looking to patch their WooFramework during our unfortunate current downtime, we have a process that takes a few quick steps to patch the code.
Our ninjas are on hand to assist in applying this patch as well. To get in touch with us during our downtime, please e-mail techsupport [at] woothemes.com.
Our sincerest apologies for the inconvenience caused here.