Critical Update For WooThemes Customers

As if being attacked was not bad enough, there is also a critical security issue that’s been fixed in the latest release of the WooFramework. The issue dealt with the shortcode generator.

The latest version (and most likely many previous versions) of the WooThemes WooFramework has a bug that allows any website visitor to run and see the output of any shortcode. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.

While the Gist author for that post took some heat for releasing the information the way that he did, others chimed in and stated the vulnerability should have never existed in the first place. According to Jason Gill who is a WooThemes paying customer and also the one who announced the vulnerability on the Gist website explained that he made every effort to try and contact WooThemes or at least, see if the patch was already in existence but was unsuccessful.

While at the time of writing this article is offline, I advise you to check back often to update your themes as soon as possible.

There are 5 comments

Comments are closed.