There are a few tweets going around about an exploit in our WooFramework. It happens to be making news around the same time we were hacked so naturally it could cause some hysteria about a possible link between the two and a vulnerability on our user’s sites. Rest assured there is no link and the exploit was actually fixed a few days before our website was hacked.
We have however issued another update to the WooThemes framework (V5.3.11 V5.3.12) to tighten the security of our themes even further. We recommend all users update their themes to the latest version, it’s really easy. Click the “Update Framework” button in our theme framework in the WP backend to grab and install the latest version.
This from WooThemes developer Matty Cohen:
The shortcode preview functionality that was in the WooFramework’s bundled shortcode generator (the neat popup used to add shortcodes to posts and pages with a point-and-click interface) was identified as a potential security exploit several days ago. After the first report was made, we began work on isolating and resolving this exploit. This resulted in the removal of this functionality from the WooFramework (the shortcode generator is still there… just the preview functionality was removed).
The potential exploit is such that the shortcode preview allowed users to generate shortcodes using the preview window’s file, without authenticating the user.
We would have preferred the user who published the details of the exploit to have disclosed it to us securely and privately first, before sharing it on social readers where it received some unjustified, harsh critique, but for the sake of transparency we are publicly acknowledging and responding to the information at the risk of causing some nervy users.
Feel free to post any further questions below where Matty and our other developers will happily calm your nerves. What we have actioned as a result of this story is a new Twitter account that users can follow called “WooThemesDev” which will communicate theme updates and codebase details to interested users.
Update: Version 5.3.12 of the WooFramework was recently released to ensure that the file in question is overwritten correctly by the WooFramework one-click update system. This update was flagged as “critical” and is an essential update.
Update: If you’re experiencing an issue automatically updating to V5.3.12, or the update doesn’t show for you on the “Update Framework” screen of your WordPress admin, please see our tutorial on how to perform a manual WooFramework upgrade.
If this tutorial link isn’t visible to you after being logged in to your WooThemes account, give us a shout in the Support Forum and we’ll assist in getting you upgraded.
Please ensure that all themes on your website that use the WooFramework are updated to the latest version (not just the theme you have active).
Manually Upgrading the WooFramework
To manually upgrade the WooFramework, the steps are:
- Download the WooFramework ZIP file.
- Backup your entire theme onto your computer, using an FTP program (your web hosting provider should provide FTP information). This is a precaution in case you need to revert to the previous version you were running.
- Unzip the WooFramework ZIP file downloaded in step 1.
- Remove all files from the functions folder inside your theme via FTP.
- Replace the content of the functions folder inside your theme with the contents of the ZIP file unzipped above.
- Repeat this for all WooThemes using the WooFramework that are on your server, not just the active theme.
About
I haven’t developed anything using WooThemes, but have clients who have brought over Woo-based themes. The exploit’s proof-of-concept (from the Gist that I learned from it) using a link to the impacted file on demo2.woothemes.com still appears to render shortcode output.
Can you say more about the fix? Should that still render (follow @kraft on Twitter and I’ll DM you the link. Don’t want to include it here since it is a security concern!)?
Hi Brandon,
Using the latest version of the WooFramework, this file and the functionality to preview shortcodes was removed entirely.
Any examples of this exploit in effect will not render using the latest version of the WooFramework.
Matty
This is great, but I think the real question is why is it still active on your demo servers.
Hi Tony,
We’re currently in the process of updating our demo servers. Our sincerest apologies for the inconvenience caused here.
Guys,
Great to hear that it is patched by why are we still able to see this: http://demo2.woothemes.com/olya/wp-content/themes/olya/functions/js/shortcode-generator/preview-shortcode-external.php?shortcode=%5Btwitter_follow%20username=%22iota%22%5D
This patch needs to be pushed to your demo servers.
Thanks Tony. Please see above comment. 🙂
Hey Bud
Have to be honest, my bigger concern is not in how this vulnerability was disclosed by Jason Gill, but how it was not by WooThemes on April 23rd when it was found and patched: http://cl.ly/3S2o1z380L3i1D44443A, especially with a “critical” rating. What’s probably more frustrating is that the demo servers were not patched in that same timeframe.
The disclosure by Jason has just further exasperated the situation and we must all now work together to get the word out to as many people as possible.
Not good guys, not good at all.
Tony
Tony,
We’ve certainly learnt a lot over the past week, with our server downtime and this possible WooFramework exploit.
We are taking these lessons to heart and implementing further structures and channels to be able to communicate with WooThemes users as directly and as quickly as possible.
Matty et. al –
You’re in a tough spot, and running on overtime for a while… It’s tough to know how to handle one of these fires (let alone 2) until you’re there…
The important part is identifying the things that went well, and the things that went not-so-well, and documenting them as a policy for the next time (fingers crossed there isn’t, but this is the Internet after all).
Cheers on being able to move forward, keeping your chins held high, and helping clients get switched over and secure as a priority.
Matt
Hey, do you have a direct download link for this? When I click the update framework link in wordpress I get a failed message..
Hi Jason.
No problem. 🙂 Please post in our support forums and we’ll do all we can to assist with getting you to the latest version of the WooFramework.
When posting in the forum, please also post the message you get when clicking the “Update Framework” button.
Thanks Jason. 🙂
That Jason isn’t this Jason 🙂 Update Framework worked for me and fixed the issue.
Ping me at attached email address, would be happy to have an honest discussion with you guys. Sorry for an unexpected day of troubles, next round of beers is on me.
When I press [update framework], I get the following screen.:
____________
Framework Update
You have the latest version of WooFramework
→ Your version: 5.3.3
_____________
How can I force a new update? Or can I download it?
Thank you,
Denis
I used your link:
http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6
It’s updated.
thank you
This doesn’t seem to work for me. Whenever I click on that link, I am automatically logged out and told that I need to be logged in to access this content. But I’m already logged into my account, so can someone help me with this please?
When I try to update automatically, I am told that I already have the 5.3.3 version of the framework (whereas the current version is 5.3.12)
Same problem here. I am unable to access the page even though I am logged in. It keeps returning to the login form.
Same as Puranjay and Richard below.
Stuck in log-in loop with no way out.
Please post the tutorial somewhere else for now.
It should be open for anyone to see since there were issues with logging in.
Nonetheless, the update framework functionality works from within the theme options now. 🙂
Hello,
I was able to update the framework manually, but I thought you would like to know about a problem I was having with the automatic updater. I got a “copy failed” error message when I tried to do the automatic update. I changed the permissions on the /canvas/functions folder to 777 temporarily, and that did not solve the problem.
New framework 5-3-12 successfully downloaded, extracted and updated.
Will stay tuned for any other critical update:)
My theme framework says “up to date” but it is definitely not 5-3-12. Is this something not yet working on the new setup?
I’m trying to update three separate sites but when I click “Update Framework” I get a message reading.
“You have the latest version of WooFramework
→ Your version:” old_version_number (Showing versions, 3.7.03, 4.5.1, & 4.6.0) for the three sites. Do I need to download this and install it manually? If so, where can I go to do this?
TY
Appreciate that you boys have had some rough days, but some of us have had our accounts “expire” – are you working on fixing that?
Hi Beth, Todd,
To manually upgrade the WooFramework, please see our guide here: http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6
Hi Johnny.
We are aware of the subscription expiration issue and will be looking into it over the next few days. 🙂
OK, I tried to follow that link which brought me to a login page stating “This resource is only available to registered WooThemes users.” I then log in and I’m redirected to “http://woocommerce.com/dashboard/” and so when I try to paste the URL into my address bar (having just logged in) it takes me back to the “This resource is only available to registered WooThemes users.” page. Any insight into why I’m unable to find the page you’re linking to?
TY
I’m having the exact same problem as Todd, and am also unable to post about the issue in the forum — it let’s me compose my forum post, but then the submit button does nothing at all.
I’m having the same problem – the tutorial asks me to log in, even when I’m already logged in, so I can’t view it. If I log in on the prompt page, it just takes me to the dashboard.
Same issue here as all of the previous commenters noted.
I should also note that the “Update framework” button has NEVER worked for me.
Will we get any clarification on this?
Same exact issue here. Logged in, click link and am asked to login again, when I do I go to Dashboard.
Todd, Julie, Evan, Konstantinos,
The login issue is a known issue at present, which our team are working to resolve.
Please email us on techsupport [at] woocommerce.com where we can assist with the upgrade, if you’re having difficulty accessing the forums as well.
@Konstantinos – The “Update Framework” link may not be working for you due either to a permissions issue with your “wp-content” folder not being able to be written to, or due to your server not allowing the connection to be made to retrieve the information about the update.
Our sincerest apologies for the inconvenience caused here, all.
I just wanted to say that I was having the same issue in regards to automatic upgrades, that my version of Unsigned was not recognizing that there was a new update. So I changed the permissions on wp-content to 777 from 755, and it allowed me then to see “A new version of WooFramework is available.”
Whenever you do get it upgraded, please remember to change your permissions back!
Again, same here
Having same problem.
I’m having the same problems…when I click on the link above…it’s asks me to login…then it just takes me to the dashboard. When I try to enter in the link again…same thing…so I can’t get to the tutorial on how to manually update the framework.
Hi Tony,
Please e-mail us on techsupport[at]woocommerce.com if the link to the tutorial doesn’t work after logging out, clearing your browser’s cache and logging back in.
From there, our ninjas will assist in getting the upgrade to you. 🙂
Hi! I can’t access this link. Every time I click it it takes me to the WooThemes login page (even if I’m already logged in!) and won’t take me any farther.
– Update Framework page says I have the “most recent version” – 5.1.4 and I can’t get at the page to manually update.
I’m running in circles here – please help!
Joanna,
The update functionality from within the theme options should be working now, please let us know if it is.
You shouldn’t need to manually do so now. 🙂
Have attempted to download via automatic update and get the message that I have the latest version (5.3.11). I try to login to my account and get the message that I have an expired membership–which I do not. Any help would be appreciated. I am concerned that more information wasn’t available regarding the critical nature of this exploit as well. It makes me worry about my woothemes websites (approximately 25 of them). I really like woothemes, but I lost a lot of time during the timthumb exploit and do not like the idea of having this issue again.
Hi Joe,
Regarding your subscription, we’re currently in the process of restoring this data. Thank you for your patience in this regard.
I’d advise performing a manual upgrade, as outlined in our tutorial here: http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6
Our sincerest apologies for the inconvenience caused here.
Thanks and regards,
Matty.
A blog comment (by Mark Lowe) on this article on memeburn.com, claimd there may be an exploit in the .12 framework.
Can you pleas advise if it is safe to apply the .12 fix?
http://memeburn.com/2012/04/premium-wordpress-theme-developer-woothemes-hacked/#comment-513968267
Hi Steve.
I can confirm that Mark Lowe is incorrect. The file he’s referring to would be injected only to vulnerable websites. In his case, I’d upgrade to V5.3.12 and then change all passwords (FTP, CPanel, Database, WordPress, etc).
I can’t update either b/c it says it’s already up to date w/ an outdated version. My theme updates never come through the admin either.
Hi vrob,
Please see our tutorial here ( http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6 ) for steps to perform a manual upgrade.
Thanks.
Ok, but that’s a pain…do you know why the dash upgrade isn’t working for so many people? I’d feel better if you had this on your radar and were trying to fix it…
Ok–Just tried to read the instructions to manually update and I get the same login loop others describe, so I log in, then try to access the page and it tells me to log in. So it’s nice that you’re telling everyone to upgrade, but send me another email when you fix the upgrader or the login loop…
The framework update functionality should be working, you can find that here. – http://cl.ly/0c3N0m2v3E3R0i1o2z0i
Hiya. Perhaps emailing users when there a critical update is available might be in order? Especially when an exploit is found …
http://lightpointsecurity.com/content/how-to-botch-a-security-vulnerability-discovery-woothemes-case-study
We could have sent an email out with the information, with our site down though we had no where to direct people. We weren’t able to send people to a post, provide a download of the updated framework, instructions on updating, etc…
As soon as the site came back up safely we sent an email. It was just entirely bad timing unfortunately.
New framework successfully updated
thank you
I hit update framework in my WordPress and all I get is “You have the latest version of WooFramework
→ Your version: 5.1.3”.
This is ridiculous, people/ I’ve had my whole hosting account hacked and infected because of WooTheme bugs. Hire some security expert.
Hi Egor,
Our sincerest apologies for the inconvenience caused here.
I can assure that we’re doing all we can to rectify the situation as best we can.
I noticed a problem when I updated canvas to 4.7.11. When trying to add a new menu item in one of my menus a pop-up would come up saying “Are you sure you want to do this?” with no option. Actually deleted V 4.7.11 and reinstalled V 4.7.9. Now am able to update menus but frame work update is not yet a reality. Will try to be patient as I have been in this situation myself.
Hi Tony,
This issue has been rectified in V5.3.12 of the WooFramework.
I’d recommend performing the same manual upgrade as you did when reverting to V4.7.9, except with V5.3.12.
Please e-mail techsupport [at] woocommerce.com if you encounter issues, either with the automatic updater or with posting in the forum or viewing the tutorial here: http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6
Thanks and regards,
Matty.
I have a combination of EGOR’s problem JOEY WATT’s
My WooFramework’s say “You have the latest version of WooFramework” when it really IS NOT (5.13, 5.0.2, or less)
AND
I have the expired membership problem. So when I visit your link to MANUALLY UPGRADE the framework with the tutorial, it brings me to the Expired subscription page. Can’t upgrade anything and can’t even read about it do it manually.
Love the themes, love the support, but is really getting ridiculous …
the manual framework upgrade link started working for me so that is fixed **
Thanks for letting us know, Mike. 🙂
Same:
You have the latest version of WooFramework
→ Your version: 5.3.11
Hi Tom,
If the above-mentioned tutorial link isn’t visible to you, please let us know of techsupport [at] woocommerce.com and we’ll assist you in upgrading. 🙂
Hi team,
I see this message:
You have the latest version of WooFramework
→ Your version: 5.3.3
No updates for a recommended V5.3.12 is available.
Regards,
Igor
Hi Igor,
Please see the link to our manual upgrade tutorial above.
Our sincerest apologies for the inconvenience caused here.
Thanks and regards,
Matty.
Hi Matty,
The recommended link – http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6 – brings us to login page, and after login directs to nowhere.
Regards,
Igor
Sorry, I’m logged out every time I try to reach the link to the manual update entry. What can I do?
Hi there.
Please e-mail support [at] woocommerce.com and we can assist with the update.
Our sincerest apologies for the inconvenience caused here.
Howdy woo – great to see you back – ive upgraded my woo framework and I get the message: “all up to date on 5.1.6” no mention of 5.3.12? Any ideas?
Hi there. 🙂
We’d recommend a manual upgrade in that case. Please see the blog post for a link to the manual WooFramework upgrade tutorial.
If this tutorial is inaccessible to your WooThemes account, please e-mail us on support [at] woocommerce.com and we’ll assist with getting you upgraded. 🙂
il send in an email matty as I cannot download anything right now from woo – even after reactivating 🙁
There is another download link for the latest Framework file on this member forum post: http://woocommerce.com/support-forum/?viewtopic=75054
I can login to my account, but I’m one of the users that has the message that the account is no longer active. I can’t get to the manual framework link because the site logs me out on clicking the link, and on logging back in I’m taken elsewhere.
@thomas – thanks, I’ve at least got hold of the framework now.
Could someone confirm how I update it? Do I just unzip if over the Theme name folder? Maybe a cut ‘n’ paste from the tutorial that we can’t reach to a sticky on the forum, and/or this blog post?
OK, overwriting the files doesn’t work.
Just received general email pushed out, which doesn’t contain instructions.
HELP!
I’ve logged in but I can’t enter (http://woocommerce.com/2009/08/how-to-upgrade-your-theme/) this page. I’m sure this is not a cookie issue, I have dashboard access.
Why you are not writing the direct link to WooFramework 5.3.12?http://woocommerce.com/updates/framework.zip
I’ve got the same issue with the link that Mustafa mentions.
Ok
Lets go through some of the issues here that I (and maybe others are experiencing) I have a subscription account which doesn’t work, it tells me it has expired. I have sent a number of emails to support but have yet to have issue rectified.
I have a number of high value clients that would be mortified to know there websites are vulnerable.
Many of the sites I have tried to update the framework with tell me I have latest version of framework when I clearly dont.
I cant access latest files because logins dont work and there is nothing for me to download – even though I should have access to all.
I understand the problems Woo are facing but these are serious times.
Still waiting
Peter
Geez Users – backoff. Give this provider some time to rectify things. Just because we don’t have the latest framework is NO reason to panic. Hell, we’ve probably been at risk for some time. And, the truth be known, there are probably other vulnerabilities in our themes and frameworks. So, get over it! Just make sure you actually back your sites up routinely and then you can breath. Gosh sakes.
Marcus
No one is abusing Woo here. However when you cannot access certain information, when it is critical to do so, then of course people are anxious.
Your assertion that we have probably been at risk for sometime, is weird. There is a difference between security vulnerabilities being published online by others and a security notification by the company itself.
Very different!
Peter
The 5.3.12 update doesn’t show for me on the “Update Framework†menu. so i tried to upload manually by logging in. i realized that i forgot my password on Woothemes. so i clicked Lost Password? then wrote me email. I got an email saying “This site requires JavaScript and Cookies to be enabled. Please change your browser settings or upgrade your browser.” so sending new password system is not working…
Good luck on sorting all this guys and well done on efforts so far, but I’m one of the many frustrated people who cannot update.
The dashboard doesn’t work – it says I’m on the latest where I’m not.
The manual link to update doesn’t work – it just loops me around login/dashboard and never shows the page.
There is no where else to download 5.3.12 from.
So you have a fix, but there is no way for me to actually access it. Can someone else who has 5.3.12 upload to somewhere else and provide a link here please? I have multiple vunerable sites that need patching ASAP!
Thanks in advance.
(oh and to top it all off, the createsend mailer that just came out from Adii is a little broken too (i.e. techsupport@ mailto link is broken).
I know you’re trying your hardest but I think you need to make this update publically available on a trusted server/3rd party host as soon as possible, instead of relying on people being able to access it through the woo domains which just isn’t working for me and many others.
Pete
OK, I’ve got working links. I’m not sure if there was a good reason for not publicly posting the framework link – could that lead to more attacks? So I’ll post the link that works for me and the method that worked for me in the General forum ASAP. Keep refreshing 😉
Can you simply post the instructions here? I submitted a support ticket email almost an hour ago with no reply. I cannot access the instructions page because it keeps asking me to log into the website when I am clearly logged in.
I couldn’t access the instruction page either, but I can now access the forum.
You need to use the download to replace the existing theme functions folder.
Great, thank you.
Hello Guys,
I have tired to update the WooFramwork through the dashboard however, when I try I get this error “Failed: Filesystem preventing downloads. ( ftpext)”.
What should I do next?
everytime I go to that instruction page for the framework I get logged out and cant see anything
hi do we need to update woocommerce?
You should always keep WooCommerce up to date.
Hi,
I can’t update the woo framework automatically from my theme (inside admin area), and every time I click on the instructions for the manual update, I get logged out and I can’t see them…
Please forward a link to the manual instructions which I can see (it seems that Mike has the same problem!).
Thanks,
Kenny
Hi all,
Yes, there was a good reason for not posting the direct link to the ZIP file here.
If you encounter issues with the automatic updater, please download the ZIP file from the link that several commenters have now posted.
The steps are:
– Download ZIP file, either from the direct link posted by several commenters here, or by e-mailing us for the ZIP file.
– Backup your entire theme onto your computer. This is a precaution in case you need to revert to the previous version you were running.
– Unzip the WooFramework ZIP file downloaded in step 1.
– Remove all files from the “functions” folder inside your theme via FTP.
– Replace the content of the “functions’ folder inside your theme with the contents of the ZIP file unzipped above.
You should now be running the latest version of the WooFramework.
Please see above in the blog post as well. If you encounter issues with these steps or with the download, please contact us directly on techsupport [at] woocommerce.com rather than commenting here. 🙂
Thanks and regards,
Matty.
“I can’t update the woo framework automatically from my theme (inside admin area), and every time I click on the instructions for the manual update, I get logged out and I can’t see them…
Please forward a link to the manual instructions which I can see (it seems that Mike has the same problem!).
Thanks,
Kenny”
I have got the same problems, I cannot access the instructions for manual update. When trying to access it, I have to login and get redirected to my account dashboard.
Please, let me know how to access the manual update instructions.
Hi Ellen,
I’ve added manual update instructions to this blog post.
Our sincerest apologies for the inconvenience caused here.
Hi Matty!
Thanks for the instructions. (Your post was published, when I was still writing mine, sorry if I seemed concerned or impatient.)
I could update all of my woothemes’ framework.
This is getting old, timthumb and now this?
The below works just fine. Make a complete backup first
http://woocommerce.com/updates/framework.zip
Replace all files in the /functions directory
Now you have manually patched the framework
Michael
I’m running Framework 2.7.10 and watched a video on the Woothemes site about being able to update your framework via WordPress. I don’t know what’s wrong, but there is no button in my Busy Bee section of WordPress that allows me to update the framework. I don’t know how to update it manually because the instructions are confusing me.
Hi Stevie,
We’d definitely recommend upgrading from a V2.x of the WooFramework. I don’t believe automatic updates were present in those versions, unfortunately.
If you require assistance in performing this upgrade, please e-mail us on techsupport [at] woocommerce.com.
To rephrase the instructions, it would be:
– Backup your theme from your website (via FTP) onto your computer.
– Download the ZIP file linked to above and unzip it.
– Via FTP, remove the contents of the “functions” folder of the theme.
– Replace the contents of the “functions” folder with the contents of the ZIP file unzipped in step 2.
I hope that helps. If not, please e-mail us and we can assist. 🙂
Thanks and regards,
Matty.
I submitted a help ticket on this but maybe this thread will be quicker. I did a manual update because the install didn’t see it needed to be updated. I forgot to empty the functions folder first. I copied over the new files and overwrote everything which seems like it should still be fine. However I now have an error message and the site doesn’t come up.
Fatal error: Cannot redeclare woothemes_more_themes_page() (previously declared in /home/jenna/public_html/chinatrip/wp-content/themes/postcard/functions/admin-functions.php:2476) in /home/jenna/public_html/chinatrip/wp-content/themes/postcard/functions/admin-theme-page.php on line 64
I’m wondering if not emptying the folder caused this or what else did. Also wondering if there’s a fix other than restoration. It makes me not want to do the manual update on any of installs until I know why this one went awry.
Thanks,
Sheila
Hi Sheila,
Removing the “admin-theme-page.php” file should resolve this. If not, please e-mail us on techsupport [at] woocommerce.com where we can assist directly. 🙂
Thanks and regards,
Matty.
Thanks Matty. But removing that file did not fix it. I’ve put in to my host to restore the site at this point. But I’m nervous to try this on another site. Do you think it was caused by not emptying that folder first?