Framework shortcode exploit has been fixed

Written by Mark Forrester on April 29, 2012 News, Product News.

There are a few tweets going around about an exploit in our WooFramework. It happens to be making news around the same time we were hacked so naturally it could cause some hysteria about a possible link between the two and a vulnerability on our user’s sites. Rest assured there is no link and the exploit was actually fixed a few days before our website was hacked. 

We have however issued another update to the WooThemes framework (V5.3.11 V5.3.12) to tighten the security of our themes even further. We recommend all users update their themes to the latest version, it’s really easy. Click the “Update Framework” button in our theme framework in the WP backend to grab and install the latest version.

This from WooThemes developer Matty Cohen:

The shortcode preview functionality that was in the WooFramework’s bundled shortcode generator (the neat popup used to add shortcodes to posts and pages with a point-and-click interface) was identified as a potential security exploit several days ago. After the first report was made, we began work on isolating and resolving this exploit. This resulted in the removal of this functionality from the WooFramework (the shortcode generator is still there… just the preview functionality was removed).

The potential exploit is such that the shortcode preview allowed users to generate shortcodes using the preview window’s file, without authenticating the user.

We would have preferred the user who published the details of the exploit to have disclosed it to us securely and privately first, before sharing it on social readers where it received some unjustified, harsh critique, but for the sake of transparency we are publicly acknowledging and responding to the information at the risk of causing some nervy users.

Feel free to post any further questions below where Matty and our other developers will happily calm your nerves. What we have actioned as a result of this story is a new Twitter account that users can follow called “WooThemesDev” which will communicate theme updates and codebase details to interested users.

Follow ‘WooThemesDev’ on Twitter

Update: Version 5.3.12 of the WooFramework was recently released to ensure that the file in question is overwritten correctly by the WooFramework one-click update system. This update was flagged as “critical” and is an essential update.

Update: If you’re experiencing an issue automatically updating to V5.3.12, or the update doesn’t show for you on the “Update Framework” screen of your WordPress admin, please see our tutorial on how to perform a manual WooFramework upgrade.

If this tutorial link isn’t visible to you after being logged in to your WooThemes account, give us a shout in the Support Forum and we’ll assist in getting you upgraded.

Please ensure that all themes on your website that use the WooFramework are updated to the latest version (not just the theme you have active).

Update : Any issues that you were experiencing with our built in auto updater have now been resolved.

Manually Upgrading the WooFramework

To manually upgrade the WooFramework, the steps are:

  1. Download the WooFramework ZIP file.
  2. Backup your entire theme onto your computer, using an FTP program (your web hosting provider should provide FTP information). This is a precaution in case you need to revert to the previous version you were running.
  3. Unzip the WooFramework ZIP file downloaded in step 1.
  4. Remove all files from the functions folder inside your theme via FTP.
  5. Replace the content of the functions folder inside your theme with the contents of the ZIP file unzipped above.
  6. Repeat this for all WooThemes using the WooFramework that are on your server, not just the active theme.
cta-banner-10-product-page-v2_2x

227 Responses

  1. Brandon Kraft
    April 29, 2012 at 6:02 pm #

    I haven’t developed anything using WooThemes, but have clients who have brought over Woo-based themes. The exploit’s proof-of-concept (from the Gist that I learned from it) using a link to the impacted file on demo2.woothemes.com still appears to render shortcode output.

    Can you say more about the fix? Should that still render (follow @kraft on Twitter and I’ll DM you the link. Don’t want to include it here since it is a security concern!)?

    • Matty Cohen
      April 29, 2012 at 6:13 pm #

      Hi Brandon,

      Using the latest version of the WooFramework, this file and the functionality to preview shortcodes was removed entirely.

      Any examples of this exploit in effect will not render using the latest version of the WooFramework.

      • Tony Perez
        April 29, 2012 at 6:14 pm #

        Matty

        This is great, but I think the real question is why is it still active on your demo servers.

        • Matty Cohen
          April 29, 2012 at 6:28 pm #

          Hi Tony,

          We’re currently in the process of updating our demo servers. Our sincerest apologies for the inconvenience caused here.

  2. Tony Perez
    April 29, 2012 at 6:14 pm #

    Guys,

    Great to hear that it is patched by why are we still able to see this: http://demo2.woothemes.com/olya/wp-content/themes/olya/functions/js/shortcode-generator/preview-shortcode-external.php?shortcode=%5Btwitter_follow%20username=%22iota%22%5D

    This patch needs to be pushed to your demo servers.

    • Matty Cohen
      April 29, 2012 at 6:29 pm #

      Thanks Tony. Please see above comment. 🙂

      • Tony Perez
        April 29, 2012 at 6:52 pm #

        Hey Bud

        Have to be honest, my bigger concern is not in how this vulnerability was disclosed by Jason Gill, but how it was not by WooThemes on April 23rd when it was found and patched: http://cl.ly/3S2o1z380L3i1D44443A, especially with a “critical” rating. What’s probably more frustrating is that the demo servers were not patched in that same timeframe.

        The disclosure by Jason has just further exasperated the situation and we must all now work together to get the word out to as many people as possible.

        Not good guys, not good at all.

        Tony

        • Matty Cohen
          April 29, 2012 at 7:19 pm #

          Tony,

          We’ve certainly learnt a lot over the past week, with our server downtime and this possible WooFramework exploit.

          We are taking these lessons to heart and implementing further structures and channels to be able to communicate with WooThemes users as directly and as quickly as possible.

          • Matt Kettlewell
            May 2, 2012 at 2:17 am #

            Matty et. al –

            You’re in a tough spot, and running on overtime for a while… It’s tough to know how to handle one of these fires (let alone 2) until you’re there…

            The important part is identifying the things that went well, and the things that went not-so-well, and documenting them as a policy for the next time (fingers crossed there isn’t, but this is the Internet after all).

            Cheers on being able to move forward, keeping your chins held high, and helping clients get switched over and secure as a priority.

            Matt

  3. Jason
    April 29, 2012 at 10:28 pm #

    Hey, do you have a direct download link for this? When I click the update framework link in wordpress I get a failed message..

    • Matty Cohen
      April 29, 2012 at 10:54 pm #

      Hi Jason.

      No problem. 🙂 Please post in our support forums and we’ll do all we can to assist with getting you to the latest version of the WooFramework.

      When posting in the forum, please also post the message you get when clicking the “Update Framework” button.

      Thanks Jason. 🙂

      • Jason Gill
        April 30, 2012 at 4:21 am #

        That Jason isn’t this Jason 🙂 Update Framework worked for me and fixed the issue.

        Ping me at attached email address, would be happy to have an honest discussion with you guys. Sorry for an unexpected day of troubles, next round of beers is on me.

      • Denis
        May 1, 2012 at 12:19 am #

        When I press [update framework], I get the following screen.:
        ____________
        Framework Update
        You have the latest version of WooFramework

        → Your version: 5.3.3
        _____________

        How can I force a new update? Or can I download it?

        Thank you,

        Denis

        • Denis
          May 1, 2012 at 1:28 am #

          I used your link:

          http://woo.com/2009/08/how-to-upgrade-your-theme/#update-6

          It’s updated.

          thank you

          • puranjay
            May 1, 2012 at 3:13 pm #

            This doesn’t seem to work for me. Whenever I click on that link, I am automatically logged out and told that I need to be logged in to access this content. But I’m already logged into my account, so can someone help me with this please?

            When I try to update automatically, I am told that I already have the 5.3.3 version of the framework (whereas the current version is 5.3.12)

          • Richard
            May 1, 2012 at 3:18 pm #

            Same problem here. I am unable to access the page even though I am logged in. It keeps returning to the login form.

          • lukek
            May 1, 2012 at 3:58 pm #

            Same as Puranjay and Richard below.

            Stuck in log-in loop with no way out.

            Please post the tutorial somewhere else for now.

          • Ryan Ray
            May 2, 2012 at 3:23 am #

            It should be open for anyone to see since there were issues with logging in.

            Nonetheless, the update framework functionality works from within the theme options now. 🙂

  4. Ted Folkman
    April 30, 2012 at 5:41 am #

    Hello,

    I was able to update the framework manually, but I thought you would like to know about a problem I was having with the automatic updater. I got a “copy failed” error message when I tried to do the automatic update. I changed the permissions on the /canvas/functions folder to 777 temporarily, and that did not solve the problem.

  5. Serg
    April 30, 2012 at 6:02 am #

    New framework 5-3-12 successfully downloaded, extracted and updated.
    Will stay tuned for any other critical update:)

  6. Beth
    April 30, 2012 at 10:34 pm #

    My theme framework says “up to date” but it is definitely not 5-3-12. Is this something not yet working on the new setup?

  7. Todd
    April 30, 2012 at 11:01 pm #

    I’m trying to update three separate sites but when I click “Update Framework” I get a message reading.

    “You have the latest version of WooFramework

    → Your version:” old_version_number (Showing versions, 3.7.03, 4.5.1, & 4.6.0) for the three sites. Do I need to download this and install it manually? If so, where can I go to do this?

    TY

  8. Johnny
    April 30, 2012 at 11:46 pm #

    Appreciate that you boys have had some rough days, but some of us have had our accounts “expire” – are you working on fixing that?

  9. Matty Cohen
    May 1, 2012 at 12:11 am #

    Hi Beth, Todd,

    To manually upgrade the WooFramework, please see our guide here: http://woo.com/2009/08/how-to-upgrade-your-theme/#update-6

    Hi Johnny.

    We are aware of the subscription expiration issue and will be looking into it over the next few days. 🙂

    • Todd
      May 1, 2012 at 12:31 am #

      OK, I tried to follow that link which brought me to a login page stating “This resource is only available to registered WooThemes users.” I then log in and I’m redirected to “http://woo.com/dashboard/” and so when I try to paste the URL into my address bar (having just logged in) it takes me back to the “This resource is only available to registered WooThemes users.” page. Any insight into why I’m unable to find the page you’re linking to?

      TY

      • Julie
        May 1, 2012 at 1:16 am #

        I’m having the exact same problem as Todd, and am also unable to post about the issue in the forum — it let’s me compose my forum post, but then the submit button does nothing at all.

        • Evan
          May 1, 2012 at 2:23 am #

          I’m having the same problem – the tutorial asks me to log in, even when I’m already logged in, so I can’t view it. If I log in on the prompt page, it just takes me to the dashboard.

          • Konstantinos
            May 1, 2012 at 6:56 am #

            Same issue here as all of the previous commenters noted.

            I should also note that the “Update framework” button has NEVER worked for me.

            Will we get any clarification on this?

          • Casey
            May 1, 2012 at 3:02 pm #

            Same exact issue here. Logged in, click link and am asked to login again, when I do I go to Dashboard.

      • Matty Cohen
        May 1, 2012 at 7:53 am #

        Todd, Julie, Evan, Konstantinos,

        The login issue is a known issue at present, which our team are working to resolve.

        Please email us on techsupport [at] woocommerce.com where we can assist with the upgrade, if you’re having difficulty accessing the forums as well.

        @Konstantinos – The “Update Framework” link may not be working for you due either to a permissions issue with your “wp-content” folder not being able to be written to, or due to your server not allowing the connection to be made to retrieve the information about the update.

        Our sincerest apologies for the inconvenience caused here, all.

        • gray ayer
          May 2, 2012 at 1:58 am #

          I just wanted to say that I was having the same issue in regards to automatic upgrades, that my version of Unsigned was not recognizing that there was a new update. So I changed the permissions on wp-content to 777 from 755, and it allowed me then to see “A new version of WooFramework is available.”

          • Ryan Ray
            May 2, 2012 at 3:25 am #

            Whenever you do get it upgraded, please remember to change your permissions back!

      • lukek
        May 1, 2012 at 3:59 pm #

        Again, same here

      • Rebecca
        May 1, 2012 at 5:34 pm #

        Having same problem.

    • Tony Oravet
      May 1, 2012 at 2:39 am #

      I’m having the same problems…when I click on the link above…it’s asks me to login…then it just takes me to the dashboard. When I try to enter in the link again…same thing…so I can’t get to the tutorial on how to manually update the framework.

      • Matty Cohen
        May 1, 2012 at 8:39 am #

        Hi Tony,

        Please e-mail us on techsupport[at]woocommerce.com if the link to the tutorial doesn’t work after logging out, clearing your browser’s cache and logging back in.

        From there, our ninjas will assist in getting the upgrade to you. 🙂

    • Joanna Meyer
      May 1, 2012 at 3:15 pm #

      Hi! I can’t access this link. Every time I click it it takes me to the WooThemes login page (even if I’m already logged in!) and won’t take me any farther.

      – Update Framework page says I have the “most recent version” – 5.1.4 and I can’t get at the page to manually update.

      I’m running in circles here – please help!

      • Ryan Ray
        May 2, 2012 at 3:26 am #

        Joanna,

        The update functionality from within the theme options should be working now, please let us know if it is.

        You shouldn’t need to manually do so now. 🙂

  10. Joe Watts
    May 1, 2012 at 12:49 am #

    Have attempted to download via automatic update and get the message that I have the latest version (5.3.11). I try to login to my account and get the message that I have an expired membership–which I do not. Any help would be appreciated. I am concerned that more information wasn’t available regarding the critical nature of this exploit as well. It makes me worry about my woothemes websites (approximately 25 of them). I really like woothemes, but I lost a lot of time during the timthumb exploit and do not like the idea of having this issue again.

    • Matty Cohen
      May 1, 2012 at 7:59 am #

      Hi Joe,

      Regarding your subscription, we’re currently in the process of restoring this data. Thank you for your patience in this regard.

      I’d advise performing a manual upgrade, as outlined in our tutorial here: http://woo.com/2009/08/how-to-upgrade-your-theme/#update-6

      Our sincerest apologies for the inconvenience caused here.

      Thanks and regards,
      Matty.

  11. Steve
    May 1, 2012 at 12:58 am #

    A blog comment (by Mark Lowe) on this article on memeburn.com, claimd there may be an exploit in the .12 framework.
    Can you pleas advise if it is safe to apply the .12 fix?

    http://memeburn.com/2012/04/premium-wordpress-theme-developer-woothemes-hacked/#comment-513968267

    • Matty Cohen
      May 1, 2012 at 7:46 am #

      Hi Steve.

      I can confirm that Mark Lowe is incorrect. The file he’s referring to would be injected only to vulnerable websites. In his case, I’d upgrade to V5.3.12 and then change all passwords (FTP, CPanel, Database, WordPress, etc).

  12. vrob
    May 1, 2012 at 1:56 am #

    I can’t update either b/c it says it’s already up to date w/ an outdated version. My theme updates never come through the admin either.

    • Matty Cohen
      May 1, 2012 at 7:57 am #

      Hi vrob,

      Please see our tutorial here ( http://woo.com/2009/08/how-to-upgrade-your-theme/#update-6 ) for steps to perform a manual upgrade.

      Thanks.

      • vrob
        May 1, 2012 at 2:49 pm #

        Ok, but that’s a pain…do you know why the dash upgrade isn’t working for so many people? I’d feel better if you had this on your radar and were trying to fix it…

      • vrob
        May 1, 2012 at 3:06 pm #

        Ok–Just tried to read the instructions to manually update and I get the same login loop others describe, so I log in, then try to access the page and it tells me to log in. So it’s nice that you’re telling everyone to upgrade, but send me another email when you fix the upgrader or the login loop…

  13. Trace
    May 1, 2012 at 2:01 am #

    Hiya. Perhaps emailing users when there a critical update is available might be in order? Especially when an exploit is found …

  14. Marie
    May 1, 2012 at 2:06 am #

    New framework successfully updated
    thank you

  15. Egor
    May 1, 2012 at 2:32 am #

    I hit update framework in my WordPress and all I get is “You have the latest version of WooFramework

    → Your version: 5.1.3”.

    This is ridiculous, people/ I’ve had my whole hosting account hacked and infected because of WooTheme bugs. Hire some security expert.

    • Matty Cohen
      May 1, 2012 at 7:50 am #

      Hi Egor,

      Our sincerest apologies for the inconvenience caused here.

      I can assure that we’re doing all we can to rectify the situation as best we can.

  16. Tony
    May 1, 2012 at 5:58 am #

    I noticed a problem when I updated canvas to 4.7.11. When trying to add a new menu item in one of my menus a pop-up would come up saying “Are you sure you want to do this?” with no option. Actually deleted V 4.7.11 and reinstalled V 4.7.9. Now am able to update menus but frame work update is not yet a reality. Will try to be patient as I have been in this situation myself.

    • Matty Cohen
      May 1, 2012 at 7:56 am #

      Hi Tony,

      This issue has been rectified in V5.3.12 of the WooFramework.

      I’d recommend performing the same manual upgrade as you did when reverting to V4.7.9, except with V5.3.12.

      Please e-mail techsupport [at] woocommerce.com if you encounter issues, either with the automatic updater or with posting in the forum or viewing the tutorial here: http://woo.com/2009/08/how-to-upgrade-your-theme/#update-6

      Thanks and regards,
      Matty.

  17. Mike
    May 1, 2012 at 8:22 am #

    I have a combination of EGOR’s problem JOEY WATT’s

    My WooFramework’s say “You have the latest version of WooFramework” when it really IS NOT (5.13, 5.0.2, or less)

    AND

    I have the expired membership problem. So when I visit your link to MANUALLY UPGRADE the framework with the tutorial, it brings me to the Expired subscription page. Can’t upgrade anything and can’t even read about it do it manually.

    Love the themes, love the support, but is really getting ridiculous …

    • Mike
      May 1, 2012 at 8:24 am #

      the manual framework upgrade link started working for me so that is fixed **

      • Matty Cohen
        May 1, 2012 at 8:38 am #

        Thanks for letting us know, Mike. 🙂

  18. Tom
    May 1, 2012 at 8:44 am #

    Same:

    You have the latest version of WooFramework

    → Your version: 5.3.11

    • Matty Cohen
      May 1, 2012 at 9:26 am #

      Hi Tom,

      If the above-mentioned tutorial link isn’t visible to you, please let us know of techsupport [at] woocommerce.com and we’ll assist you in upgrading. 🙂

  19. Igor
    May 1, 2012 at 9:25 am #

    Hi team,

    I see this message:

    You have the latest version of WooFramework

    → Your version: 5.3.3

    No updates for a recommended V5.3.12 is available.

    Regards,
    Igor

    • Matty Cohen
      May 1, 2012 at 9:27 am #

      Hi Igor,

      Please see the link to our manual upgrade tutorial above.

      Our sincerest apologies for the inconvenience caused here.

      Thanks and regards,
      Matty.

  20. tmeise
    May 1, 2012 at 12:06 pm #

    Sorry, I’m logged out every time I try to reach the link to the manual update entry. What can I do?

    • Matty Cohen
      May 1, 2012 at 12:24 pm #

      Hi there.

      Please e-mail support [at] woocommerce.com and we can assist with the update.

      Our sincerest apologies for the inconvenience caused here.

  21. allmyhoney
    May 1, 2012 at 12:22 pm #

    Howdy woo – great to see you back – ive upgraded my woo framework and I get the message: “all up to date on 5.1.6” no mention of 5.3.12? Any ideas?

    • Matty Cohen
      May 1, 2012 at 12:42 pm #

      Hi there. 🙂

      We’d recommend a manual upgrade in that case. Please see the blog post for a link to the manual WooFramework upgrade tutorial.

      If this tutorial is inaccessible to your WooThemes account, please e-mail us on support [at] woocommerce.com and we’ll assist with getting you upgraded. 🙂

      • allmyhoney
        May 1, 2012 at 1:24 pm #

        il send in an email matty as I cannot download anything right now from woo – even after reactivating 🙁

  22. Thomas
    May 1, 2012 at 1:02 pm #

    There is another download link for the latest Framework file on this member forum post: http://woo.com/support-forum/?viewtopic=75054

  23. Sandie
    May 1, 2012 at 1:51 pm #

    I can login to my account, but I’m one of the users that has the message that the account is no longer active. I can’t get to the manual framework link because the site logs me out on clicking the link, and on logging back in I’m taken elsewhere.

    @thomas – thanks, I’ve at least got hold of the framework now.

    Could someone confirm how I update it? Do I just unzip if over the Theme name folder? Maybe a cut ‘n’ paste from the tutorial that we can’t reach to a sticky on the forum, and/or this blog post?

    • Sandie
      May 1, 2012 at 2:09 pm #

      OK, overwriting the files doesn’t work.

      Just received general email pushed out, which doesn’t contain instructions.

      HELP!

  24. Mustafa
    May 1, 2012 at 2:15 pm #

    I’ve logged in but I can’t enter (http://woo.com/2009/08/how-to-upgrade-your-theme/) this page. I’m sure this is not a cookie issue, I have dashboard access.

  25. Tom
    May 1, 2012 at 2:19 pm #

    Why you are not writing the direct link to WooFramework 5.3.12?http://woo.com/updates/framework.zip

  26. Keith
    May 1, 2012 at 2:21 pm #

    I’ve got the same issue with the link that Mustafa mentions.

  27. Peter Ricci
    May 1, 2012 at 2:24 pm #

    Ok

    Lets go through some of the issues here that I (and maybe others are experiencing) I have a subscription account which doesn’t work, it tells me it has expired. I have sent a number of emails to support but have yet to have issue rectified.

    I have a number of high value clients that would be mortified to know there websites are vulnerable.

    Many of the sites I have tried to update the framework with tell me I have latest version of framework when I clearly dont.

    I cant access latest files because logins dont work and there is nothing for me to download – even though I should have access to all.

    I understand the problems Woo are facing but these are serious times.

    Still waiting

    Peter

  28. Marcus Tibesar
    May 1, 2012 at 2:26 pm #

    Geez Users – backoff. Give this provider some time to rectify things. Just because we don’t have the latest framework is NO reason to panic. Hell, we’ve probably been at risk for some time. And, the truth be known, there are probably other vulnerabilities in our themes and frameworks. So, get over it! Just make sure you actually back your sites up routinely and then you can breath. Gosh sakes.

    • Peter Ricci
      May 1, 2012 at 2:34 pm #

      Marcus

      No one is abusing Woo here. However when you cannot access certain information, when it is critical to do so, then of course people are anxious.

      Your assertion that we have probably been at risk for sometime, is weird. There is a difference between security vulnerabilities being published online by others and a security notification by the company itself.

      Very different!

      Peter

  29. Volkan
    May 1, 2012 at 2:31 pm #

    The 5.3.12 update doesn’t show for me on the “Update Framework” menu. so i tried to upload manually by logging in. i realized that i forgot my password on Woothemes. so i clicked Lost Password? then wrote me email. I got an email saying “This site requires JavaScript and Cookies to be enabled. Please change your browser settings or upgrade your browser.” so sending new password system is not working…

  30. Pete Meadows
    May 1, 2012 at 2:44 pm #

    Good luck on sorting all this guys and well done on efforts so far, but I’m one of the many frustrated people who cannot update.

    The dashboard doesn’t work – it says I’m on the latest where I’m not.

    The manual link to update doesn’t work – it just loops me around login/dashboard and never shows the page.

    There is no where else to download 5.3.12 from.

    So you have a fix, but there is no way for me to actually access it. Can someone else who has 5.3.12 upload to somewhere else and provide a link here please? I have multiple vunerable sites that need patching ASAP!

    Thanks in advance.

    (oh and to top it all off, the createsend mailer that just came out from Adii is a little broken too (i.e. techsupport@ mailto link is broken).

    I know you’re trying your hardest but I think you need to make this update publically available on a trusted server/3rd party host as soon as possible, instead of relying on people being able to access it through the woo domains which just isn’t working for me and many others.

    Pete

    • Sandie
      May 1, 2012 at 2:46 pm #

      OK, I’ve got working links. I’m not sure if there was a good reason for not publicly posting the framework link – could that lead to more attacks? So I’ll post the link that works for me and the method that worked for me in the General forum ASAP. Keep refreshing 😉

  31. idEric
    May 1, 2012 at 2:50 pm #

    Can you simply post the instructions here? I submitted a support ticket email almost an hour ago with no reply. I cannot access the instructions page because it keeps asking me to log into the website when I am clearly logged in.

    • Sandie
      May 1, 2012 at 2:53 pm #

      I couldn’t access the instruction page either, but I can now access the forum.

      You need to use the download to replace the existing theme functions folder.

      • idEric
        May 1, 2012 at 2:55 pm #

        Great, thank you.

  32. Mike
    May 1, 2012 at 2:52 pm #

    Hello Guys,

    I have tired to update the WooFramwork through the dashboard however, when I try I get this error “Failed: Filesystem preventing downloads. ( ftpext)”.

    What should I do next?

  33. mike
    May 1, 2012 at 2:57 pm #

    everytime I go to that instruction page for the framework I get logged out and cant see anything

  34. vivedesigsn
    May 1, 2012 at 3:04 pm #

    hi do we need to update woocommerce?

    • James Koster
      May 1, 2012 at 5:46 pm #

      You should always keep WooCommerce up to date.

  35. Kenny
    May 1, 2012 at 3:06 pm #

    Hi,
    I can’t update the woo framework automatically from my theme (inside admin area), and every time I click on the instructions for the manual update, I get logged out and I can’t see them…
    Please forward a link to the manual instructions which I can see (it seems that Mike has the same problem!).
    Thanks,
    Kenny

  36. Matty Cohen
    May 1, 2012 at 3:19 pm #

    Hi all,

    Yes, there was a good reason for not posting the direct link to the ZIP file here.

    If you encounter issues with the automatic updater, please download the ZIP file from the link that several commenters have now posted.

    The steps are:
    – Download ZIP file, either from the direct link posted by several commenters here, or by e-mailing us for the ZIP file.
    – Backup your entire theme onto your computer. This is a precaution in case you need to revert to the previous version you were running.
    – Unzip the WooFramework ZIP file downloaded in step 1.
    – Remove all files from the “functions” folder inside your theme via FTP.
    – Replace the content of the “functions’ folder inside your theme with the contents of the ZIP file unzipped above.

    You should now be running the latest version of the WooFramework.

    Please see above in the blog post as well. If you encounter issues with these steps or with the download, please contact us directly on techsupport [at] woocommerce.com rather than commenting here. 🙂

    Thanks and regards,
    Matty.

  37. Ellen
    May 1, 2012 at 3:23 pm #

    “I can’t update the woo framework automatically from my theme (inside admin area), and every time I click on the instructions for the manual update, I get logged out and I can’t see them…
    Please forward a link to the manual instructions which I can see (it seems that Mike has the same problem!).
    Thanks,
    Kenny”

    I have got the same problems, I cannot access the instructions for manual update. When trying to access it, I have to login and get redirected to my account dashboard.

    Please, let me know how to access the manual update instructions.

    • Matty Cohen
      May 1, 2012 at 3:26 pm #

      Hi Ellen,

      I’ve added manual update instructions to this blog post.

      Our sincerest apologies for the inconvenience caused here.

      • Ellen
        May 1, 2012 at 4:11 pm #

        Hi Matty!

        Thanks for the instructions. (Your post was published, when I was still writing mine, sorry if I seemed concerned or impatient.)

        I could update all of my woothemes’ framework.

  38. JB
    May 1, 2012 at 3:30 pm #

    This is getting old, timthumb and now this?

  39. Michael
    May 1, 2012 at 3:43 pm #

    The below works just fine. Make a complete backup first

    http://woo.com/updates/framework.zip

    Replace all files in the /functions directory

    Now you have manually patched the framework

    Michael

  40. Stevie
    May 1, 2012 at 3:50 pm #

    I’m running Framework 2.7.10 and watched a video on the Woothemes site about being able to update your framework via WordPress. I don’t know what’s wrong, but there is no button in my Busy Bee section of WordPress that allows me to update the framework. I don’t know how to update it manually because the instructions are confusing me.

    • Matty Cohen
      May 1, 2012 at 4:08 pm #

      Hi Stevie,

      We’d definitely recommend upgrading from a V2.x of the WooFramework. I don’t believe automatic updates were present in those versions, unfortunately.

      If you require assistance in performing this upgrade, please e-mail us on techsupport [at] woocommerce.com.

      To rephrase the instructions, it would be:

      – Backup your theme from your website (via FTP) onto your computer.
      – Download the ZIP file linked to above and unzip it.
      – Via FTP, remove the contents of the “functions” folder of the theme.
      – Replace the contents of the “functions” folder with the contents of the ZIP file unzipped in step 2.

      I hope that helps. If not, please e-mail us and we can assist. 🙂

      Thanks and regards,
      Matty.

  41. Sheila Hoffman
    May 1, 2012 at 4:02 pm #

    I submitted a help ticket on this but maybe this thread will be quicker. I did a manual update because the install didn’t see it needed to be updated. I forgot to empty the functions folder first. I copied over the new files and overwrote everything which seems like it should still be fine. However I now have an error message and the site doesn’t come up.

    Fatal error: Cannot redeclare woothemes_more_themes_page() (previously declared in /home/jenna/public_html/chinatrip/wp-content/themes/postcard/functions/admin-functions.php:2476) in /home/jenna/public_html/chinatrip/wp-content/themes/postcard/functions/admin-theme-page.php on line 64

    I’m wondering if not emptying the folder caused this or what else did. Also wondering if there’s a fix other than restoration. It makes me not want to do the manual update on any of installs until I know why this one went awry.

    Thanks,
    Sheila

    • Matty Cohen
      May 1, 2012 at 4:09 pm #

      Hi Sheila,

      Removing the “admin-theme-page.php” file should resolve this. If not, please e-mail us on techsupport [at] woocommerce.com where we can assist directly. 🙂

      Thanks and regards,
      Matty.

      • Sheila Hoffman
        May 1, 2012 at 5:05 pm #

        Thanks Matty. But removing that file did not fix it. I’ve put in to my host to restore the site at this point. But I’m nervous to try this on another site. Do you think it was caused by not emptying that folder first?

        • Matty Cohen
          May 1, 2012 at 6:53 pm #

          Hi Sheila,

          That’s possible, yes.

          If you encounter further issues of this nature, please e-mail techsupport [at] woocommerce.com where our ninjas are on hand to assist. 🙂

          • Sheila Hoffman
            May 12, 2012 at 5:48 am #

            Per your request I emailed on May 1. On May 3 Tiago Noronha asked for my login credentials and told me s/he would look into it and would do the upgrade for me. It’s now May 11 and I haven’t heard back. I emailed again to touch base and got an automated response back that I should post! Instead of starting a new forum thread I thought I’d ask you here if someone is still looking into this for me or what my next steps are. I basically have failed to do the manual upgrade twice from v2.2.3 of the framework. Thank you.

          • Magnus
            May 12, 2012 at 1:27 pm #

            What is the link to your forum thread?

          • Sheila Hoffman
            May 12, 2012 at 3:40 pm #

            Odd, it won’t let me respond to you under your question but it will here!

            There isn’t a link to a forum thread. I had posted here (see above) and was asked to email support. I did so and by email was asked for login credentials which I sent. I have successfully manually updated another Postcard themed site. But this one failed twice requiring a backup restore. The site has framework 2.2.3 installed with Postcard v1. The other one I updated had a newer version. I’m guessing that could be the issue. If you guys can’t help me I was thinking I’d do a data backup and try starting from scratch on a dev site with a new install and import my data. I just have to be sure I find and transfer any customizations. I did this site a LONG time ago and it was pro-bono so I really don’t want to put a ton of time into it. But I’m worry about leaving it vulnerable.

            I can email my credentials again if that would help. This is what I received ….

            MAY 03, 2012 | 07:53PM CAT
            Sheila,

            Can you send us your WordPress admin & FTP login so we can debug the issue?

            I’ll personally update the theme framework for you. 🙂

            Thanks!
            Regards,
            Tiago

          • Sheila Hoffman
            May 12, 2012 at 4:01 pm #

            OK, after typing my last post I decided to take the bulls by the horns. I read how to update the theme and indeed, doing so fixed the problem. So I’m good-to-go now. It might’ve been helpful if someone has simply suggested that to start with. Everything I read said the theme version didn’t matter it was the framework that needed updating. But with a v1 theme it simply didn’t work. Happy to close my needs out.

    • Eduardo Gonzalez Loumiet
      May 1, 2012 at 7:56 pm #

      Sheila, Did removing “admin-theme-page.php” help? I removed it and received additional errors like:

      Warning: require_once(/nfs/c04/h02/mnt/80256/domains/blog.eduardogonzalezloumiet.com/html/wp-content/themes/mainstream/functions/admin-theme-page.php) [function.require-once]: failed to open stream: No such file or directory in /nfs/c04/h02/mnt/80256/domains/blog.eduardogonzalezloumiet.com/html/wp-content/themes/mainstream/functions.php on line 18

      Fatal error: require_once() [function.require]: Failed opening required ‘/nfs/c04/h02/mnt/80256/domains/blog.eduardogonzalezloumiet.com/html/wp-content/themes/mainstream/functions/admin-theme-page.php’ (include_path=’.:/usr/local/php-5.2.17/share/pear’) in /nfs/c04/h02/mnt/80256/domains/blog.eduardogonzalezloumiet.com/html/wp-content/themes/mainstream/functions.php on line 18

      • Matty Cohen
        May 2, 2012 at 12:54 am #

        Hi Eduardo,

        Your “functions.php” file is calling the “admin-theme-page.php” file.

        Commenting out or removing this line from your “functions.php” file would resolve this.

        The alternative is also to upgrade to the latest version of your theme, using the download from your WooThemes Account Dashboard. 🙂

        If you encounter issues with commenting out the legacy code in your “functions.php” file, please e-mail techsupport [at] woocommerce.com where our ninjas are on hand to assist. 🙂

  42. Peter
    May 1, 2012 at 4:10 pm #

    I am really frustrated that the tutorial page isn’t working:

    http://woo.com/2009/08/how-to-upgrade-your-theme/#update-6

    I just get to the login page (although I’m already logged in). I try again and the page refreshes. No tutorial – when I need it the most.

    Please, woo guys, figure out a way that we don’t have to go through anything like this again.

    • lukek
      May 1, 2012 at 4:12 pm #

      They’ve pasted the tutorial at the top of the page mate.

  43. scott
    May 1, 2012 at 4:27 pm #

    I have no idea how to do steps 2, 4 and 5 from your instructions. I have never used FTP or done a manual backup. Those of us who are not techies require more specific instructions, please. How do you “backup your theme to your computer”?

    • Sandie
      May 1, 2012 at 4:50 pm #

      Step 2 :
      Log in to your WordPress installation. On the left-hand menu, click on the menu item which displays the name of your theme. Click on ‘Backup Settings’. There are two backups to complete, the WooThemes one, and at the top of that page you’ll see a link to the WordPress Export Tool. Since it sounds like you haven’t been taking backups of your site to date, suggest you complete both backups 😉

      If you can get into the forums, you’ll find other help there 😉

    • Matty Cohen
      May 1, 2012 at 5:05 pm #

      Scott,

      The FTP related steps involved connecting to your web server using an FTP program such as “Transmit” for the Mac, or FileZilla (or another such program) for Windows.

      From there, you’d navigation to your “themes” folder and drag the folder containing your theme’s files onto your computer’s desktop.

      We recommend a backup of the physical files, just in case you ever need them.

      If you’d like us to assist, please e-mail us on techsupport [at] woocommerce.com.

  44. JPatt
    May 1, 2012 at 4:35 pm #

    Great. I have invested way too heavily in Woo. I have quite a few site with your themes and non of them can be updated automatically for some reason. I’m on a satellite connection and this is going to kill a day or two of my time just to fix this via FTP.

    Thanks for the notice though.

  45. Smoovep
    May 1, 2012 at 4:37 pm #

    The auto update and manual updates ARE NOT WORKING! The link in this post send you into an infinite login loop. Same for the link in the email that Adii sent out earlier today.

  46. Frank McClung
    May 1, 2012 at 5:04 pm #

    As mentioned above, the Framework auto updates are not working (Canvas). When one goes to the Update Framework page, it shows that it has the latest version (5.2.2) even when this is not the latest version. I know you guys have had a hard week (understatement), but this needs to be fixed.

  47. M
    May 1, 2012 at 5:07 pm #

    I’m not a coder/developer/hacker but a possible idea to deal with some security issues:

    Create a fund/reward system to pay individuals who find major bugs in Woo products and report them to you guys first confidentially. Just some incentive for people to hack away at your system and report instead of taking it down.

  48. Matty Cohen
    May 1, 2012 at 5:08 pm #

    Hi all,

    If you see a comment that is the same issue that you’re experiencing, we are aware of it. There’s no need to repost about the same issue. 🙂

    Please follow the steps in the blog post above. If you get stuck with these steps, please e-mail us directly, rather than commenting on this blog post (this is a blog post for conveying information. Support can be done via the Support Forums or over e-mail at techsupport [at] woocommerce.com if you require assistance with the steps).

    Thanks all. We really appreciate your patience during this time and are very sorry for the inconvenience caused here.

  49. jpatt
    May 1, 2012 at 5:09 pm #

    Question: If the themes are up-to-date why would we have to change out the files in functions folder? Why would we not just update the theme and be done with it?

    • Matty Cohen
      May 1, 2012 at 5:28 pm #

      Hi jpatt,

      The theme version and WooFramework version are different entities. Having an up to date theme doesn’t constitute having an up to date WooFramework, and visa versa.

      More information on this can be found in a blog post we published on what components make up a WooTheme. 🙂

      The reason for changing out the entire “functions” folder is to ensure that all files are fresh versions (it’s also easier than updating just one or two files). 🙂

      • Jpatt
        May 1, 2012 at 5:31 pm #

        Got it. An updated theme may not include the latest framework.

  50. jpatt
    May 1, 2012 at 5:17 pm #

    May I suggest maybe faster way to update for those with ftp challenges. Not sure if this is woo approved or not. Not sure of reason for not just replacing theme.
    Idea:
    Open extracted Framework file. Copy files (select > copy)
    Open extracted woo theme. Go to functions folder. Delete files. Past in new ones. Compress theme again. Re-install via WordPress.

    Just suggesting – May not work for reasons unknown to me. – Not necessarily woo approved.

  51. John
    May 1, 2012 at 5:21 pm #

    The link at the top of this post and manual update via FTP worked for me on two sites just now. No love on the auto update from the dashboard, but the manual was fairly painless. FYI…

  52. Claire Raikes
    May 1, 2012 at 5:22 pm #

    Followed the (very simple) steps for the Manual update (DLd the zip etc.) and all seems fine in that I was running 4.2.1 and its now showing I’m running 5.3.12, BUT it also says,

    Old version of TimThumb detected in your theme folder. Click here to update.

    Yet, I literally just DLd the zip, so would have thought I have the latest of everything… Don’t want to undo what I just did, so wondering do I click or not click?

    Claire

    PS. Appreciate your transparency, service dedication etc. and am sending virtual hugs/high fives/positive thoughts your way. Must have been a nightmarish week at Woo Towers. Thank you. 🙂

    • Matty Cohen
      May 1, 2012 at 5:30 pm #

      Hi Claire,

      I suspect the TimThumb was detected in your theme. I’d recommend letting the TimThumb detector do it’s task, which will convert to using the latest version of TimThumb, which is available in the WooFramework.

      Thanks for your support, Claire. 🙂

  53. Satish Gandham
    May 1, 2012 at 5:32 pm #

    Hi,
    I just downloaded your free theme, swatch. It still has the preview shortcode file with all the code intact.

    • Matty Cohen
      May 1, 2012 at 6:07 pm #

      Hi Satish,

      We’re currently updating all theme packages. Please bear with us while the updated files upload.

      Thanks. 🙂

  54. Barbara
    May 1, 2012 at 5:34 pm #

    Well I give up, I asked for help via email as I can’t get framework updated via the themes dashboard or through the link here and I was given the link to this page again.

    • Sandie
      May 1, 2012 at 6:33 pm #

      Don’t give up 😉 The blog post above has been updated with instructions, (including a link that works for those of us that couldn’t use the previous link). If that doesn’t work, try the forum or e-mail support.

  55. Seth
    May 1, 2012 at 5:39 pm #

    I am puzzled.

    According to the indicator on my Theme Options page as well as the info on my Update Framework page, I’m running 5.3.7

    How to I upgrade from 5.3.7 to 5.3.12? Wouldn’t that be a downgrade?

    I’m running Emporium as my theme.

    What gives?

    • Wil
      May 1, 2012 at 5:56 pm #

      Last time I checked, 12 is higher than 7, this this is definitely an upgrade 🙂

      • Seth
        May 1, 2012 at 6:19 pm #

        You, sir, are absolutely correct.

        Until you pointed it out, I was reading it as 5.3.7 vs 5.3.7.1.2

        I always use single digits between dots for my plugin / theme versions…

        Thanks for setting me straight. I’m off to upgrade!

  56. Lupisima
    May 1, 2012 at 5:48 pm #

    Hi there,
    I just replace manual and it works 🙂

    Should I update my WP to the 3.3.2 version ?

    Thank you!

    • Matty Cohen
      May 1, 2012 at 6:10 pm #

      Hi Lupisima,

      We’d recommend keeping your WordPress installation up to date on a regular basis, yes. 🙂

  57. Rebecca
    May 1, 2012 at 7:17 pm #

    OK, I manually updated the functions folder EXACTLY as detailed here. I am getting a fatal error now!!!!!!!!!!!

    Fatal error: require_once() [function.require]: Failed opening required ‘/home/YADDAYAYAD/public_html/MYBLOG/wp-content/themes/freshnews/functions/admin-theme-page.php’ (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/YADDAYADA/public_html/MYBLOG/wp-content/themes/freshnews/functions.php on line 18

    ??? I am not a tech expert. Please tell me what this means. I have Woo Themes on 5 of my sites, all are commercial sites. This is atrocious.

    • Matty Cohen
      May 1, 2012 at 7:30 pm #

      Hi Rebecca,

      This file should not be present on the server, nor required by another file.

      Please e-mail us on techsupport [at] woocommerce.com where we can assist with this upgrade.

      You may need to comment out a line in the “functions.php” file of Fresh News, I believe.

      • Matty Cohen
        May 1, 2012 at 7:32 pm #

        Update: This line isn’t in the latest version of Fresh News’ “functions.php” file. I suspect you’re running an older version of the theme (which should be fine, by the way) and would just need to patch one line in your “functions.php” file. 🙂

        I’ve informed the team to keep an eye out for your e-mail and what the issue is. 🙂

        • Rebecca
          May 1, 2012 at 7:41 pm #

          Matty: THANKS for the speedy response. Yes, i am using an old theme version. I emailed techsupport. I hope they answer soon! 🙂 THANKS!!!!!

  58. Joe
    May 1, 2012 at 7:24 pm #

    I tried to go to the link you provided to manually update my theme (http://woo.com/2009/08/how-to-upgrade-your-theme/#update-6), but I get a login page and I am not a subscriber. I’m using the Bueno theme. How can I get the instructions?

    • Matty Cohen
      May 1, 2012 at 7:31 pm #

      Hi Joe,

      Please see the updated blog post above, containing instructions. 🙂

      Thanks and regards,
      Matty.

  59. Vid Luther
    May 1, 2012 at 7:38 pm #

    I’ve written a quick and dirty mass updater for other hosting companies.

    https://github.com/zippykid/wooframework-updater

    Would love some update from the woo guys directly if possible.

  60. Alengio
    May 1, 2012 at 7:38 pm #

    Did you create a backup before deleting the files in the functions folder? If so, I would recommend putting the backup back into place. Then check if the functions folder includes a file called admin-theme-page.php

    If so, tell us which version of freshnews theme are you running on?

    • Alengio
      May 1, 2012 at 7:42 pm #

      Ooops, never mind above post. I see Matty is helping Rebecca in the right direction already. Matty, need some red bull? 😉

      • Rebecca
        May 1, 2012 at 7:46 pm #

        HAHA! 🙂

    • Rebecca
      May 1, 2012 at 7:46 pm #

      I’m using Fresh News 2.3.1 on 4 sites. I’ve only tried updating 2 so far, both get that fatal error thing. I did not backup the functions folder but I backed up my sites (mySQL databases) and the directory backup. I sent a quick email to techsupport as Matty asked.

      • Alengio
        May 1, 2012 at 8:00 pm #

        Seems you made a correct backup. Which means if things can’t be solved you can go back to how is was before and start “fresh”.

        But I am sure the support e-mail will get you back on track .

        Good luck!

  61. Rebecca
    May 1, 2012 at 7:47 pm #

    I’m running Kaboodle & Kaboodle Commerce themes. I was able to manually update to the recommended framework for Kaboodle, but is there anything that I need to do for the ‘kabboodle-commerce” theme?
    Thanks,
    Rebecca

    • Alengio
      May 1, 2012 at 8:03 pm #

      As long as your framework now says 5.3.12 you have done all the steps needed to fix framework problems.

      Updating your theme is something different from the framework. So it’s up to you if you can and want to update that.

    • Matty Cohen
      May 1, 2012 at 8:48 pm #

      Hi Rebecca,

      Our child themes don’t contain the WooFramework so no, those don’t require a WooFramework update.

      Glad to hear you’re up to date. 🙂

  62. Lodewijk
    May 1, 2012 at 8:05 pm #

    Hi there,

    So I’m on framework 5.3.12 now (I upgraded manually) on WP version 3.3.2. WP tells my that all my themes are up-to-date, but I run Digital Farm version 1.2.0. However, I see a new version of Digital Farm 1.4.3 available on Woothemes. I’ve 2 questions: is my site still vulnerable for this exploit? And two: how can I perform a safe and manual upgrade of the Digital Farm theme?

    Thanks!

    • Alengio
      May 1, 2012 at 8:10 pm #

      Answer 1: You are save now!

      Answer 2: You can log into woothemes site, then download latest theme version, then install new(er) theme as you install any theme. This can be done using WP backend or through FTP. Or you can read the install instructions in the enclosed PDF file in the zip you downloaded.

      Hopes this helps!

      • Lodewijk
        May 1, 2012 at 8:27 pm #

        …thanks for your info!

        But I cannot install Digital Farm -via the backend- as a new theme because the target folder ‘digital farm’ already exists and it won’t override. In the zip file is no PDF file with instructions available, only a changelog.txt. So I would like to know what the procedure is for manually updating the theme…!

        • Alengio
          May 1, 2012 at 8:58 pm #

          Unzip the zip.

          Find the folder which includes the theme.

          It’s probably called something like digital farm.

          Rename it something like digital-farm-v.X.X.X

          Then use FTP to upload folder into your wp-content/themes folder

          Go to the WP backend. The theme should now be shown but not yet active. You can choose to activate it.

          Ofcourse before doing all this, please make backup. This is always good practise and hopefully will cheer up Mark! 😉

  63. Mark
    May 1, 2012 at 8:19 pm #

    Everyone crying that your site is f’d up now – I suggest you’re likely not a professional user, and you could fo those of us who are a favor by getting out of the way and accepting the downtime while this gets sorted out.

    If you’re actually a professional user who applied changes to your live site that cause it to go down, then you could use a couple of the most basic pointers that will serve you well in your future carrear as someone that runs live code requiring 100% uptime:

    – Always apply any changes to a development copy of your site first, to make sure it works without issues.
    – Have backups. Always. Lots.

  64. Tita
    May 1, 2012 at 8:22 pm #

    I use Canvas Buddypress theme. Should I update anything besides the function folder inside Canvas theme?

    • Matty Cohen
      May 1, 2012 at 9:59 pm #

      Hi Tita,

      The child theme should use the WooFramework from the parent Canvas theme, so updating the “functions” folder in Canvas should get you up to date. 🙂

      • Tita
        May 3, 2012 at 12:46 am #

        Ok. Thanks!

  65. Lodewijk
    May 1, 2012 at 8:23 pm #

    …thanks for your info!

    But I cannot install Digital Farm -via the backend- as a new theme because the target folder ‘digital farm’ already exists and it won’t override. In the zip file is no PDF file with instructions available, only a changelog.txt. So I would like to know what the procedure is for manually updating the theme…!

    • Alengio
      May 1, 2012 at 8:31 pm #

      Unzip the zip.

      Find the folder which includes the theme. It’s probably called something like digital farm.

      Rename it something like digital-farm-v.X.X.X

      Then use FTP to upload folder into your wp-content/themes folder

      Go to the WP backend. The theme should now be shown but not yet active. You can choose to activate it.

      Ofcourse before doing all this, please make backup. This is always good practise and hopefully will cheer up Mark! 😉

      • Lodewijk
        May 1, 2012 at 8:56 pm #

        Thanks again…this works for me!

  66. Rebecca
    May 1, 2012 at 8:31 pm #

    Oh my word, I just updated my themes and I LOVE THE NEW THEME options. From there, the framework update worked perfectly (for 2 out of 4 sites so far).

    Maybe many of the problems users are having are because they are not running the most recent theme versions, eh? Perhaps users should be notified and that would quell a lot of confusion? Just sayin.

    Thanks Matty and Alengio for your support. Thanks to guys like you, WooThemes rocks.

    • Matty Cohen
      May 1, 2012 at 8:56 pm #

      Thanks Rebecca. We’re glad you like the WooFramework update and are up to date with things. 🙂

      I believe the other two websites you’re running with Fresh News (if I remember correctly, all 4 websites are running Fresh News?) would require a theme update as well, or to comment out the “admin-theme-page.php” file call in your “functions.php” file.

      Again, really glad you’re up to date. Please let us know via an e-mail to techsupport [at] woocommerce.com if you require assistance with your remaining updates. 🙂

  67. Baron
    May 1, 2012 at 8:55 pm #

    Note that if anyone installed, or had automatically installed, v1.3.1 of the VaultPress plugin it may have broken your website. I’m running Gazette Edition and when they pushed out v1.3.1 my website just showed a blank page with no data. I narrowed it down to their plugin and retrograded down to v1.3 to fix my site. Here’s what I got today in email from VaultPress:

    “Today, we tried to update your site to VaultPress 1.3.1 with a WooThemes framework security hotfix. VaultPress 1.3.1 had a problem that caused an error for a small number of our customers. We pinpointed the problem, fixed it, and released VaultPress 1.3.2.

    Your site is running version 1.3.2 so you’ve already been updated and should not see an error.”

    They did give me credit for their subscription due to the error. Hopefully nobody did a manual plugin upgrade to v1.3.1 as they would have to manually upgrade to v1.3.2 if they don’t have the automatic feature turned on.

  68. Canton
    May 1, 2012 at 9:03 pm #

    Is there some reason the framework.zip file is so hard to download?

    I’d like to globally apply it to all my woothemes-based sites, so I figured a good start would be to download it via the terminal, i.e.

    wget http://woo.com/updates/framework.zip

    but this results in “This site requires JavaScript and Cookies to be enabled. Please change your browser settings or upgrade your browser.”

    I’m trying to have patience about this security problem, but it’s hard when
    (1) the auto-updater on most of my sites doesn’t work, reporting things like “your version 5.3.1 is up-to-date”
    (2) I can’t download the new framework ZIP file as easily as I can update (for example) wordpress.org/latest.zip

    • a
      May 1, 2012 at 9:12 pm #

      Do you want me to send it to your gmail?

    • Matty Cohen
      May 1, 2012 at 9:51 pm #

      Hi Canton,

      We are currently looking into these issues. I’d advise downloading the file via the browser in the interim.

      Downloading via the browser should allow you to then access the file via Terminal and perform your desired updates. 🙂

  69. Brandon
    May 1, 2012 at 9:30 pm #

    I also have the problem on multiple sites where it says that I have the latest version of the framework when I don’t. And I prefer not to manually update every site.

    Why are you simply providing a workaround for the “latest version” problem instead of fixing it so we can update manually? It doesn’t seem like the customer should have to go through the extra work of manually updating when it’s supposed to update automatically.

    • Brandon
      May 1, 2012 at 9:31 pm #

      I should have said, “instead of fixing it so we can update automatically.”

    • Matty Cohen
      May 1, 2012 at 9:52 pm #

      Hi Brandon,

      We are currently looking into the Automatic Update functionality.

      In order to not delay anyone in getting their WooFramework up to date, we provided the manual update steps.

      Our sincerest apologies for the inconvenience caused here.

      • Baron
        May 1, 2012 at 10:08 pm #

        Wait. There’s an Automatic Update option for the WooFramework? I have the Gazette Edition and I don’t see any option to turn automatic updates on/off.

        I ask because if the WooFramework is updated for my site automatically it will break it as I have a modified framework file.

        Or are you talking about the option to update WooFramework by hitting the update button? If so you might want to call that ‘Express Update’ instead of ‘Automatic’ which implies it’s done without human intervention.

        • Matty Cohen
          May 1, 2012 at 10:22 pm #

          Hi Baron,

          I was referring to the “Update Framework” link in the WordPress admin.

          My apologies for the confusion. I was referring to our express updater. 🙂

        • Ryan Ray
          May 1, 2012 at 10:22 pm #

          Using the updater will overwrite your modifications though, just be sure to back those up when you upgrade.

  70. Gnanes
    May 1, 2012 at 9:32 pm #

    Just manually updated the site. Thanks for heads up.

  71. Daan Diederiks
    May 1, 2012 at 10:22 pm #

    Hello Woo Guys,
    Still alive after all this hassel?

    I started replacing the functions folder in my Livewire theme, which works with Framework 2.1. The result was a blank page.
    After that I reinstalled the backup, which was allright.

    On my Livewire seems to operate an older version of Framework. So what do I do now?
    Regards,
    Daan

    • Matty Cohen
      May 1, 2012 at 10:39 pm #

      Hi Daan,

      It looks like you’re theme requires an update as well.

      Please let us know if we can assist with this. If so, please e-mail techsupport [at] woocommerce.com.

      Thanks Daan. 🙂

  72. nomadone
    May 1, 2012 at 10:27 pm #

    I have a few sites with woothemes, seems the framework updater is not working though, says it’s up to date but shows an old version number. Actually it’s the case with most of them.

    • Matty Cohen
      May 1, 2012 at 10:40 pm #

      Hi Nur,

      We’re aware of this issue and are currently looking into it.

      In the interim, please use the manual update process, outlined in the blog post above.

      Thanks. 🙂

  73. Karin
    May 1, 2012 at 10:48 pm #

    I am a total tech dummy, but was still able to update manually. So there is hope for the other ftp challenged out there. Hang in there Woos!!!

    • Matty Cohen
      May 1, 2012 at 10:55 pm #

      Really glad you’re up to date, Karin. Thanks for your support. 🙂

  74. Antonio Bortolotti
    May 1, 2012 at 11:08 pm #

    How do you update the framework automatically?

    • Matty Cohen
      May 1, 2012 at 11:25 pm #

      Hi Antonio,

      To clarify, I was referring to the “Update Framework” link in the WordPress admin in my comment to Baron.

      We are currently looking into the updater. In the interim, we’d recommend the manual update process outlined above.

      Thank you for your patience in this regard.

  75. Andrea
    May 1, 2012 at 11:25 pm #

    I too am unable to update the framework on Simplicity. At what point do you expect for the automatic update to be working. I am not comfortable trying anything manually, as I am really new to WordPress.org and woo themes and am REALLY fearful of screwing something up.

    • Matty Cohen
      May 1, 2012 at 11:48 pm #

      Hi Andrea,

      We’re working on getting the updater going again. No set ETA as yet, unfortunately.

      Our team of ninjas are on hand to assist with the updates as well. If you’re not 100% comfortable with a manual update, please e-mail us on techsupport [at] woocommerce.com and let our ninjas know. From there, they’re more than happy to assist with the update process. 🙂

      • Andrea
        May 2, 2012 at 2:26 am #

        Thanks for the quick fix! Just updated it in seconds. Please pass on my thanks to the ninjas!

  76. gman
    May 2, 2012 at 12:31 am #

    No automatic update? Ah, no ETA on that. Just the more important update like ever, but you are going to make it a PITA for us to deal with. I think the fact on major security update that you guys can’t get the auto update should speak to the confidence one might have in your themes in the future. You had a security flaw recently, now another one shortly thereafter.

    How about something more useful to use other than “no set ETA”? How about something more reassuring like, a team is looking at this and should be a few hours. Or perhaps you can’t admit that your system is FUBAR when in fact it is needed the most.

    Sorry to rant, but this is pathetic. Sure replies on this thread is nice but how about something more useful? I question now whether auto update will even be possible. If your team working on this isn’t big enough, make it bigger. I say manual update this.

    • Matty Cohen
      May 2, 2012 at 12:41 am #

      Hi gman,

      To clarify, our team have been working on the updater for several hours alongside our hosting provider. It is down due to our recent move to a new server. We have isolated the area in which the malfunction is occurring and are currently looking into the best possible resolution for this. We estimate several hours before the updater is active.

      For more information on our recovery process from our recent downtime, please see our blog post here: http://woo.com/2012/05/recovery-update-tuesday-1-may/

      Our sincerest apologies for the inconvenience caused here.

      • gman
        May 2, 2012 at 1:56 am #

        Appreciate a more detailed post about the automatic update situation. I might have been a bit harsh with my words.

        On a side note, perhaps Woo Themes needs a better protocol when it comes to security issues? It’s not like Windows OS that prompts you for security patches. I suppose the email was sufficient, but you should honestly border on spamming people about the need to update their blogs. Email to me is hardly a reliable method of notifying about serious security issues. Ask people for two email address for their sign ups. I don’t know. The more your company grows, the more stuff like this is going to bring you down and tarnish your reputation. I love what you guys do, but the previous security issue and this one seems a bit Mickey Mouse in the handling or protocols. Just my opinion, that’s all.

        • wdh
          May 2, 2012 at 3:46 am #

          Hi gman

          We have now fixed that auto update functionality. I’ve worked hard with our hosting provider to get that issue resolved and we’ll be putting measures in place to ensure that the updater will work even if our website is down.

          • Silencer
            May 2, 2012 at 9:05 am #

            Thanx for the fix and the update on the autoupdate infrastructure.
            Can you please make the main wooframework options independent now; I couldn’t load the theme options on Canvas & Over Easy at all during the downtime (framwork update aside).

  77. Max
    May 2, 2012 at 1:36 am #

    How do I use the short codes now? When i’m in the post/page edit I can see the short code list but when I click the short codes don’t insert. I think I may have disabled the short code js from loading a while back, that could be my problem what file can I check in?

    • Matty Cohen
      May 2, 2012 at 8:57 am #

      Hi Max.

      Please e-mail us on techsupport [at] woocommerce.com or post in the forums where our ninjas can assist, if need be. 🙂

  78. gman
    May 2, 2012 at 2:12 am #

    Just wanted to say W00t! The auto update within WordPress is now available. A huge thank you guys for getting that working again. Saves a bit ‘ol hassle for a lot of us. Manual updating is soooo not WordPress if you know what I mean.

    • Ryan Ray
      May 4, 2012 at 8:02 pm #

      We know what you mean, glad to have it working again!

  79. Susanne
    May 2, 2012 at 2:21 am #

    updated! Thank you!

  80. Ken Dawes
    May 2, 2012 at 6:27 pm #

    Hi,
    I have a client using WooThemes and they have been hacked…likely from the WooTheme vunerability. I have seen the recommendation of replacing the functions folder with the “new” version, but that was for folks to do a safety upgrade, not with someone who’s site has been exploited.

    What is the mode of attack? Are theme files being overwritten or is the maliciousness confined to the functions folder files? Once attacked, do plugins or WP itself get infected?

    I have only browsed the comments here (there are so many!) and re the “Automatic Update” via WordPress… Is it being suggested that the WP Auto update can be used to clear a hacked WooThemes theme? Manual seems much safer.

    Thanks!
    Ken

    • Matty Cohen
      May 2, 2012 at 7:34 pm #

      Hi Ken,

      We’re really sorry one of your websites has been compromised.

      We’d advise updating to the latest version of the WooFramework soonest and contacting the security professionals at http://sucuri.net/ to isolate and resolve the hack. They would be able to isolate which areas of your website have been affected.

      We’d also advise changing all passwords (WordPress, FTP, database, CPanel, etc).

      Our sincerest apologies for the inconvenience caused here.

      Thanks and regards,
      Matty.

  81. Erlend Sogge Heggen
    May 3, 2012 at 4:34 am #

    I can’t confirm that our website has been compromised, but it is certainly acting up, and updating our theme and framework didn’t seem to fix it. I’d really like to know more about the recommended course of action in the case of a compromised website:
    – How can you tell if your website has been compromised? Where do you look?
    – How do you fix it? Will reverting to an earlier back up be enough?
    – We have several sites hosted on the same server, but the others are not using WooThemes. Could they still be affected?

    I think this might merit a blog post of its own.

    • Matty Cohen
      May 3, 2012 at 8:55 am #

      Hi Erlend,

      Please see my comment above to Ken on the course of action if you feel your website may have been compromised.

      We’d recommend contacting the security professionals at Sucuri ( http://sucuri.net/ ) who can scan your server and isolate any potentially compromised areas of your server.

      Our sincerest apologies for the inconvenience caused here.

  82. Louis
    May 3, 2012 at 9:33 am #

    What does this vulnerability enable a malicious hacker to do?

    I have lots of sites. I’m deciding whether to update them. If it’s not a security risk that could actually have a negative impact on me I see no reason to.

    • Matty Cohen
      May 3, 2012 at 10:39 am #

      Hi Louis,

      This update is a critical update that we advise you update to right away.

      The exploit, as detailed above in the blog post, allows unauthorized users to display shortcodes. Through this, a hacker could compromise your website.

      Our updater is available via the “Update Framework” link in your WordPress admin, to make the update process quicker.

      Our sincerest apologies for the inconvenience caused here.

  83. Sam Stevens
    May 3, 2012 at 11:35 pm #

    I don’t have to do this for Original Premium News, right? There is a /functions/ folder, but only 2 files, custom.php and easytube.php, and they’re not in the Woo Framework I downloaded.

    Unfortunately, the theme was hacked this morning. IFRAME injection in header.php. I’m not yet sure where the hole is.

    • Matty Cohen
      May 3, 2012 at 11:39 pm #

      Hi Sam,

      If the “functions” folder inside your theme doesn’t resemble that of the WooFramework, this fix wouldn’t apply to your theme, no.

      Regarding the error you’ve noted, I’d advise contacting the security professionals at Sucuri ( http://sucuri.net/ ). They would be able to advise on and resolve this hack.

      The current (latest) version of the Original Premium News theme does run on the WooFramework. Once the hack on your website has been resolved, you could upgrade to that, if you wish to do so.

      Our sincerest apologies for the inconvenience caused here.

  84. Alvin
    May 4, 2012 at 8:29 am #

    Hi, WooThemes….. I just checked Wootique theme changelog…
    Hmmm… have you update that theme (regarding this exploit issues) lately ??

    🙂

    ==========================================================

    “………

    *** Wootique Changelog ***

    2012.04.17 – version 1.3.1
    * template-sale.php preparation for WooCommerce 1.5.4

    2012.03.29 – version 1.3
    * header.php
    includes/theme-woocommerce.php – html5 shim now hooked into wp_head
    * header.php
    includes/theme-woocommerce.php – added woo_nav_before() action and hooked search into it
    * header.php
    includes/theme-woocommerce.php- added woo_nav_after() action and hooked cart / checkout buttons into it
    * header.php – added woo_content_before() hook
    * footer.php – added woo_content_after() hook ”

    …………”

    • Matty Cohen
      May 4, 2012 at 9:08 am #

      Hi Alvin,

      The update was made to the WooFramework, which carries it’s own changlog file ( “functions/functions-changelog.txt”).

      Clicking “Update Framework” in your WordPress admin and following the quick update process there would get your copy of the WooFramework up to date.

      Thanks! 🙂

      • Alvin
        May 4, 2012 at 10:41 am #

        oh i see..
        i got it..
        thanks, Matty Cohen

        🙂

  85. Steve Massey
    May 4, 2012 at 2:07 pm #

    Hi,
    I have updated my woothemes framework for canvas. I also am using woocommerce and canvas commerce. Do I need to do anything with these?
    Thanks

    • Matty Cohen
      May 4, 2012 at 3:11 pm #

      Hi Steve,

      WooCommerce doesn’t contain the WooFramework and your child theme piggybacks off of Canvas’ WooFramework, so you should be all good to go after updating Canvas’ WooFramework. 🙂

  86. Christof
    May 4, 2012 at 6:56 pm #

    Hi guys

    I updated the Wooframework manually, everything goes fine but then I get the message “Old version of TimThumb detected in your theme folder. Click here to update.”

    When I click “update TimThumb”, I get error “Warning: fopen(/var/www/vhosts/mysite/httpdocs/blog/wp-content/themes/canvas/thumb.php) [function.fopen]: failed to open stream: Permission denied in /var/www/vhosts/mysite/httpdocs/blog/wp-content/themes/canvas/functions/admin-functions.php on line 3368

    Can you please help me out?

    Regards

    Christof

    • Ryan Ray
      May 4, 2012 at 8:01 pm #

      Christof,

      Post in the forums for technical support. We’ll be able to help out much more thoroughly there than comments here. – http://woo.com/support-forum/

  87. Bharath Gurram
    May 7, 2012 at 12:14 am #

    Hello Guys,

    What happened to you all?? No one responding in the forum? Themes are not working properly, neither plugins.

    I’m using canvas theme for my new project and the comment system is not working in the theme, I’ve upgraded to the latest framework. WooDojo Plugin is also not working, I started a thread in the forum and it has been 2 days, no one solved my problem.

    I want you to assist me as quickly as possible. Here’s the thread: http://woo.com/support-forum/?viewtopic=75705

    • Magnus
      May 7, 2012 at 12:21 pm #

      Sorry for the late response time in the forum. During weekends it may not be answered as quickly as usual, but I’ll make sure it is answered today.

  88. Stephen Perkins
    May 7, 2012 at 4:47 pm #

    Awesome, now the Google fonts I used are no longer supported.

  89. Mary Williams
    May 7, 2012 at 10:08 pm #

    I finally managed to update the framework, for some reason the automatic update took quite a few attempts and when I was about to give up it worked.

    I want to thank you for sending a warning email to the Woothemes mailing list because WordPress does not tell you when WooThemes framework has to be updated, you need to go the necessary tab to see the warning which I hardly do.

  90. Michael
    May 10, 2012 at 10:16 pm #

    Hi,

    You guys rock! So major things happened and you dealt with it. You made it painless… all I had to do was go into my theme and click a button and all the files updated automatically. That is way above the normal FTP aggravation that most fixes would entail.

    WooCommerce rocks too!

  91. Bill
    May 12, 2012 at 3:43 pm #

    I am still getting an error on the Theme Options panel for Canvas. I manually did the update to the functions file.

    Here is the error I am receiving:

    Fatal error: Out of memory (allocated 29360128) (tried to allocate 262142 bytes) in /homepages/14/d364782900/htdocs/Pretty Things Lingerie/wp-content/themes/canvas/functions/admin-interface.php on line 1231

  92. Steven
    May 16, 2012 at 2:38 am #

    Are your free themes safe? I wanted to test-drive some themes, but was looking at the changelogs and it’s been literally years since the free themes have been updated, and no mention in the changelog of any security fixes.

    • Magnus
      May 16, 2012 at 3:16 pm #

      Hi,

      Yes they are updated as well. The WooFramework has it’s own changelog in functions/functions-changelog.txt

  93. Joseph
    May 24, 2012 at 8:59 am #

    I’m trying to update manually but I’m getting this error “Fatal error: Cannot redeclare woothemes_more_themes_page() (previously declared in C:\xampp\htdocs\wordpress\wp-content\themes\hotnaija\functions\admin-functions.php:2477) in C:\xampp\htdocs\wordpress\wp-content\themes\hotnaija\functions\admin-theme-page.php on line 65” what do I do?

  94. Joseph
    May 24, 2012 at 9:05 am #

    I got this ”
    Warning: require_once(C:\xampp\htdocs\wordpress/wp-content/themes/hotnaija/functions/admin-theme-page.php) [function.require-once]: failed to open stream: No such file or directory in C:\xampp\htdocs\wordpress\wp-content\themes\hotnaija\functions.php on line 18″ before I added “admin-theme-page.php” from my old theme and later got this error “Fatal error: Cannot redeclare woothemes_more_themes_page() (previously declared in C:\xampp\htdocs\wordpress\wp-content\themes\hotnaija\functions\admin-functions.php:2477) in C:\xampp\htdocs\wordpress\wp-content\themes\hotnaija\functions\admin-theme-page.php on line 65” How do I fix it?

  95. David P
    June 20, 2012 at 5:09 am #

    I have INSPIRE 1.1.2 installed on a site and there is no framework option. My account login has been suspended although i was a paying customer for 2 years and it appears my subscription just ended june 1st. How can I update this theme?

    • David P
      June 20, 2012 at 5:11 am #

      *no update framework option.

    • Magnus
      June 20, 2012 at 9:06 am #

      If you post in our support forum we will assist you with the upgrade, although your version doesn’t have shortcodes so does not have the security hole.

  96. David P
    June 20, 2012 at 5:22 am #

    Hello, on another site I just updated sealight to the latest version of the framework, only to see this message:

    Old version of TimThumb detected in your theme folder. Click here to update.

    When I click there, I see this:

    Warning: fopen(/home/logic/public_html/wp-content/themes/sealight/thumb.php) [function.fopen]: failed to open stream: Permission denied in /home/logic/public_html/wp-content/themes/sealight/functions/admin-functions.php on line 3369

    • Magnus
      June 20, 2012 at 9:07 am #

      Delete the old thumb.php manually from ‘wp-content/themes/sealight/thumb.php’

      Please use our support forum if you need more assistance.

  97. Turismo in
    June 26, 2012 at 3:48 pm #

    Who can help me please? If click unorderer list with tick in my post doesn’t appear the tick..

Trackbacks/Pingbacks

  1. New WooThemes Vulnerability Patched – Update Framework Now! | IT Security