In recent hours, a potential exploit has been brought to our attention in our screen and model loading logic in WooDojo.
Thus, we have released WooDojo version 1.1.1, a security update to remedy this issue. This update is required for all users of WooDojo and is automatically available for express download via the “Dashboard > Updates” screen in your WordPress installation.
Your security and experience with WooDojo is of paramount importance to us. We are, therefore, working on further securing WooDojo in order to enhance your experience with the product.
Our sincerest apologies for the inconvenience caused here.
About
No updates appearing in my WordPress Updates?
Hi Calzo,
If you don’t see the update right away, please click the “Check Again” button at the top of the “Updates” screen.
If this doesn’t produce the update in the list, please visit your “Plugins” screen, where the update should display.
If all of the above doesn’t work, please visit http://woocommerce.com/woodojo/ to download the latest version and perform a manual upgrade.
Our sincerest apologies for the inconvenience caused here.
Similar to WooCommerce, why won’t you host WooDojo on WordPress.org?
Hi Memeza,
To clarify, WooCommerce is hosted on WordPress.org… just the premium extensions for WooCommerce aren’t hosted there. 🙂
We’re currently working on getting WooDojo onto WordPress.org. 🙂
Hey Matt,
Given recent events @ Woo, if it were me, I would also email all WooThemes customers about this important update in case they do not: read this blog on a regular basis or have reason to login to their WooDashboard/Wordpress site in the near future thus potentially leaving their site vulnerable for any period of time.
Even if they do not use WooDojo, I think most will feel more secure going forward with WooThemes knowing they can expect extra communication should security matters arise again.
My two cents.
Jeff.
Agree one hundred percent. I voiced this much as well regarding framework exploit update …. most people I know didn’t know about the update because they hadn’t logged into their dashboards in a few days or a week or so ….. this is a no brainer when user security is at stake, especially considering many Woo users use Woo commercially, which means their businesses can be adversely affected.
With WooDojo we have a much easier update, as it is updated along with all other plugins (which should also be kept updated to avoid security holes).
Hi Jeff, Trace,
Thanks for your feedback on this.
We’re doing our best to inform everyone as swiftly as possible. We are also in discussions regarding a further security audit, for which a newsletter will be sent out, I’m certain.
We certainly learned a lot from recent events and have put measures in place to further communicate on as many channels as possible in order to reach as many of our customers as possible.
Our sincerest apologies for the inconvenience caused here. As with everything, this is a learning experience for us.
Thanks and regards,
Matty.
Hei Jeff,
First off all, thanks for your input on this! 🙂
We have learned a lot from previous experiences, and we will most definitely send out an e-mail to all users if we feel the security issue is severe.
In this case though it is not a critical security exploit, and we’ve decided together with our developers that it doesn’t warrant an e-mail update.
Hope you can understand where we are coming from.
Cheers,
Magnus
Hi Magnus,
You’re welcome.
I’m sure you all have learned much from recent events. I hope to hear more about those lessons so that we can all learn together.
One thing that I think is an important point to consider after such an extreme event is that perception is everything.
Whether you and your fellow ninjas consider a security issue severe enough to warrant an email to all users is actually secondary at this point in time. It is more important that your clients feel they have received sufficient communication(s) to put their minds at ease (especially in such close proximity to the recent hack/attack and DDOS of one of their trusted resources).
I, for one, would rather you err on the side of caution and notify me by email of any/all security concerns and let me decide what they may mean to me and my clients.
This would go a long way towards restoring some of my confidence in the security, stability and service level related to the great products you and the rest of the Woo team have created (and that many of us have made a significant part of the work/product we offer to our clients).
This to me would be a natural extension of the excellent communication & transparency that you and your team exhibited during the attack + DDOS.
Jeff.
We have scheduled a security audit with Sucuri.net of Dojo, WooCommerce & the WooFramework, starting next week. So the code is bound to change in the next 6-odd weeks and we’ll be pushing the updates / optimizations (ito potential vulnerabilities) live as soon as we have those (and if they exist).
We commit to be transparent during this process and will do everything in our power to ensure that everyone updates their code (if needed) after the audit.
Also, as both Matty & Magnus have mentioned: the vulnerability we’ve patched is minor and does not warrant drastic action at this stage (we do not want to create a state of emergency). For critical issues, we’ll move into a higher gear in ensuring that our users are aware of the vulnerabilities / bugs, but that’s not the case with this update.
I agree with Jeff. This kind of things should be an immediate email to all subscribers. A blog update is not enough. I don’t think there was even a Twitter post about this issue.
After today’s downtime, the week long site recovery, the Tim Thumb security flaw, and the framework security flaw, you should have enough reasons to have already implemented a system to email everyone that subscribes when there is an issue.
Thank you,
Lee
Hey Adii,
I appreciate the info and the security initiatives.
FYI I would not perceive an email announcing a security patch/update as a ‘state of emergency’ but merely a much more effective and timely form of communication than my next viewing of this blog (normally) and/or my next login to either my WooDashboard or one of my WordPress dashboards. This would give me the peace of mind that I have all of the information necessary to ensure all of my company’s WooThemes installations are as secure as possible as soon as possible no matter how minor/major the threat.
We’re going to have to agree to disagree on this one.
I totally agree with Jeff.
Seems to me all this requires is a few additional mailing list groups and users can then opt to subscribe to the ones they want to receive, e.g. WooCommerce updates, WooDojo updates, Framework updates etc. If you only use these to push out update information, users that want them can opt in without feeling overloaded with communications from you. We shouldn’t have to review every blog post for ever more to stay updated on this!
No automatic upgrade for me. Please move it to the .org repo.
So how would I know of the update, if it doesn’t show in my dashboard? You write above that this is for ALL woodojo users, so you should shoot an newsletter about it as well.
Hi,
Sorry if you are having trouble with the automatic update. Could you post in our forums so we can investigate further?
The plugin hasn’t been approved for .org yet unfortunately.
As stated earlier, the security issue is minor and doesn’t warrant an e-mail to all our users.
Cheers,
Magnus
Magnus,
Is there a description of the security issue somewhere? I would be interested to know why it would be considered minor.
Wouldn’t any security issue warrant an email to subscribers? Isn’t the security of our sites important enough to warrant an email?
For example: “Hey, we have a bug that could be an issue. Check our blog for details, while work on a fix. In the meantime, you can upgrade or disable your plugin at your discretion. – Stay Golden, Woothemes”
Why would you not want to send out an email for any security issue?
Thanks,
Lee
I am using WooSidebars, but it is not working. I create a custom sidebar area and fill out with widgets, and save it. When I get back to the Widgets page, the custom sidebar widget is blank.
So sorry the trouble here Ricard, definitely hop over to our WooDojo forums for help!