There are a few tweets going around about an exploit in our WooFramework. It happens to be making news around the same time we were hacked so naturally it could cause some hysteria about a possible link between the two and a vulnerability on our user’s sites. Rest assured there is no link and the exploit was actually fixed a few days before our website was hacked.
We have however issued another update to the WooThemes framework (
V5.3.11 V5.3.12) to tighten the security of our themes even further. We recommend all users update their themes to the latest version, it’s really easy. Click the “Update Framework” button in our theme framework in the WP backend to grab and install the latest version.
This from WooThemes developer Matty Cohen:
The shortcode preview functionality that was in the WooFramework’s bundled shortcode generator (the neat popup used to add shortcodes to posts and pages with a point-and-click interface) was identified as a potential security exploit several days ago. After the first report was made, we began work on isolating and resolving this exploit. This resulted in the removal of this functionality from the WooFramework (the shortcode generator is still there… just the preview functionality was removed).
The potential exploit is such that the shortcode preview allowed users to generate shortcodes using the preview window’s file, without authenticating the user.
We would have preferred the user who published the details of the exploit to have disclosed it to us securely and privately first, before sharing it on social readers where it received some unjustified, harsh critique, but for the sake of transparency we are publicly acknowledging and responding to the information at the risk of causing some nervy users.
Feel free to post any further questions below where Matty and our other developers will happily calm your nerves. What we have actioned as a result of this story is a new Twitter account that users can follow called “WooThemesDev” which will communicate theme updates and codebase details to interested users.Follow ‘WooThemesDev’ on Twitter
Update: Version 5.3.12 of the WooFramework was recently released to ensure that the file in question is overwritten correctly by the WooFramework one-click update system. This update was flagged as “critical” and is an essential update.
Update: If you’re experiencing an issue automatically updating to V5.3.12, or the update doesn’t show for you on the “Update Framework” screen of your WordPress admin, please see our tutorial on how to perform a manual WooFramework upgrade.
If this tutorial link isn’t visible to you after being logged in to your WooThemes account, give us a shout in the Support Forum and we’ll assist in getting you upgraded.
Please ensure that all themes on your website that use the WooFramework are updated to the latest version (not just the theme you have active).
Manually Upgrading the WooFramework
To manually upgrade the WooFramework, the steps are:
- Download the WooFramework ZIP file.
- Backup your entire theme onto your computer, using an FTP program (your web hosting provider should provide FTP information). This is a precaution in case you need to revert to the previous version you were running.
- Unzip the WooFramework ZIP file downloaded in step 1.
- Remove all files from the functions folder inside your theme via FTP.
- Replace the content of the functions folder inside your theme with the contents of the ZIP file unzipped above.
- Repeat this for all WooThemes using the WooFramework that are on your server, not just the active theme.