Framework shortcode exploit has been fixed


There are a few tweets going around about an exploit in our WooFramework. It happens to be making news around the same time we were hacked so naturally it could cause some hysteria about a possible link between the two and a vulnerability on our user’s sites. Rest assured there is no link and the exploit was actually fixed a few days before our website was hacked. 

We have however issued another update to the WooThemes framework (V5.3.11 V5.3.12) to tighten the security of our themes even further. We recommend all users update their themes to the latest version, it’s really easy. Click the “Update Framework” button in our theme framework in the WP backend to grab and install the latest version.

This from WooThemes developer Matty Cohen:

The shortcode preview functionality that was in the WooFramework’s bundled shortcode generator (the neat popup used to add shortcodes to posts and pages with a point-and-click interface) was identified as a potential security exploit several days ago. After the first report was made, we began work on isolating and resolving this exploit. This resulted in the removal of this functionality from the WooFramework (the shortcode generator is still there… just the preview functionality was removed).

The potential exploit is such that the shortcode preview allowed users to generate shortcodes using the preview window’s file, without authenticating the user.

We would have preferred the user who published the details of the exploit to have disclosed it to us securely and privately first, before sharing it on social readers where it received some unjustified, harsh critique, but for the sake of transparency we are publicly acknowledging and responding to the information at the risk of causing some nervy users.

Feel free to post any further questions below where Matty and our other developers will happily calm your nerves. What we have actioned as a result of this story is a new Twitter account that users can follow called “WooThemesDev” which will communicate theme updates and codebase details to interested users.

Follow ‘WooThemesDev’ on Twitter

Update: Version 5.3.12 of the WooFramework was recently released to ensure that the file in question is overwritten correctly by the WooFramework one-click update system. This update was flagged as “critical” and is an essential update.

Update: If you’re experiencing an issue automatically updating to V5.3.12, or the update doesn’t show for you on the “Update Framework” screen of your WordPress admin, please see our tutorial on how to perform a manual WooFramework upgrade.

If this tutorial link isn’t visible to you after being logged in to your WooThemes account, give us a shout in the Support Forum and we’ll assist in getting you upgraded.

Please ensure that all themes on your website that use the WooFramework are updated to the latest version (not just the theme you have active).

Update : Any issues that you were experiencing with our built in auto updater have now been resolved.

Manually Upgrading the WooFramework

To manually upgrade the WooFramework, the steps are:

  1. Download the WooFramework ZIP file.
  2. Backup your entire theme onto your computer, using an FTP program (your web hosting provider should provide FTP information). This is a precaution in case you need to revert to the previous version you were running.
  3. Unzip the WooFramework ZIP file downloaded in step 1.
  4. Remove all files from the functions folder inside your theme via FTP.
  5. Replace the content of the functions folder inside your theme with the contents of the ZIP file unzipped above.
  6. Repeat this for all WooThemes using the WooFramework that are on your server, not just the active theme.
cta-banner-10-product-page-v2_2x
Mark Forrester Avatar

About

227 comments

  1. I haven’t developed anything using WooThemes, but have clients who have brought over Woo-based themes. The exploit’s proof-of-concept (from the Gist that I learned from it) using a link to the impacted file on demo2.woothemes.com still appears to render shortcode output.

    Can you say more about the fix? Should that still render (follow @kraft on Twitter and I’ll DM you the link. Don’t want to include it here since it is a security concern!)?

    Brandon Kraft
    abril 29, 2012
    • Hi Brandon,

      Using the latest version of the WooFramework, this file and the functionality to preview shortcodes was removed entirely.

      Any examples of this exploit in effect will not render using the latest version of the WooFramework.

      Matty Cohen
      abril 29, 2012
      • Matty

        This is great, but I think the real question is why is it still active on your demo servers.

        Tony Perez
        abril 29, 2012
        • Hi Tony,

          We’re currently in the process of updating our demo servers. Our sincerest apologies for the inconvenience caused here.

          Matty Cohen
          abril 29, 2012
  2. Guys,

    Great to hear that it is patched by why are we still able to see this: http://demo2.woothemes.com/olya/wp-content/themes/olya/functions/js/shortcode-generator/preview-shortcode-external.php?shortcode=%5Btwitter_follow%20username=%22iota%22%5D

    This patch needs to be pushed to your demo servers.

    Tony Perez
    abril 29, 2012
    • Thanks Tony. Please see above comment. 🙂

      Matty Cohen
      abril 29, 2012
      • Hey Bud

        Have to be honest, my bigger concern is not in how this vulnerability was disclosed by Jason Gill, but how it was not by WooThemes on April 23rd when it was found and patched: http://cl.ly/3S2o1z380L3i1D44443A, especially with a “critical” rating. What’s probably more frustrating is that the demo servers were not patched in that same timeframe.

        The disclosure by Jason has just further exasperated the situation and we must all now work together to get the word out to as many people as possible.

        Not good guys, not good at all.

        Tony

        Tony Perez
        abril 29, 2012
        • Tony,

          We’ve certainly learnt a lot over the past week, with our server downtime and this possible WooFramework exploit.

          We are taking these lessons to heart and implementing further structures and channels to be able to communicate with WooThemes users as directly and as quickly as possible.

          Matty Cohen
          abril 29, 2012
          • Matty et. al –

            You’re in a tough spot, and running on overtime for a while… It’s tough to know how to handle one of these fires (let alone 2) until you’re there…

            The important part is identifying the things that went well, and the things that went not-so-well, and documenting them as a policy for the next time (fingers crossed there isn’t, but this is the Internet after all).

            Cheers on being able to move forward, keeping your chins held high, and helping clients get switched over and secure as a priority.

            Matt

            Matt Kettlewell
            maio 2, 2012
  3. Hey, do you have a direct download link for this? When I click the update framework link in wordpress I get a failed message..

    Jason
    abril 29, 2012
    • Hi Jason.

      No problem. 🙂 Please post in our support forums and we’ll do all we can to assist with getting you to the latest version of the WooFramework.

      When posting in the forum, please also post the message you get when clicking the “Update Framework” button.

      Thanks Jason. 🙂

      Matty Cohen
      abril 29, 2012
      • That Jason isn’t this Jason 🙂 Update Framework worked for me and fixed the issue.

        Ping me at attached email address, would be happy to have an honest discussion with you guys. Sorry for an unexpected day of troubles, next round of beers is on me.

        Jason Gill
        abril 30, 2012
      • When I press [update framework], I get the following screen.:
        ____________
        Framework Update
        You have the latest version of WooFramework

        → Your version: 5.3.3
        _____________

        How can I force a new update? Or can I download it?

        Thank you,

        Denis

        Denis
        maio 1, 2012
        • I used your link:

          http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6

          It’s updated.

          thank you

          Denis
          maio 1, 2012
          • This doesn’t seem to work for me. Whenever I click on that link, I am automatically logged out and told that I need to be logged in to access this content. But I’m already logged into my account, so can someone help me with this please?

            When I try to update automatically, I am told that I already have the 5.3.3 version of the framework (whereas the current version is 5.3.12)

            puranjay
            maio 1, 2012
          • Same problem here. I am unable to access the page even though I am logged in. It keeps returning to the login form.

            Richard
            maio 1, 2012
          • Same as Puranjay and Richard below.

            Stuck in log-in loop with no way out.

            Please post the tutorial somewhere else for now.

            lukek
            maio 1, 2012
          • It should be open for anyone to see since there were issues with logging in.

            Nonetheless, the update framework functionality works from within the theme options now. 🙂

            Ryan Ray
            maio 2, 2012
  4. Hello,

    I was able to update the framework manually, but I thought you would like to know about a problem I was having with the automatic updater. I got a “copy failed” error message when I tried to do the automatic update. I changed the permissions on the /canvas/functions folder to 777 temporarily, and that did not solve the problem.

    Ted Folkman
    abril 30, 2012
  5. New framework 5-3-12 successfully downloaded, extracted and updated.
    Will stay tuned for any other critical update:)

    Serg
    abril 30, 2012
  6. My theme framework says “up to date” but it is definitely not 5-3-12. Is this something not yet working on the new setup?

    Beth
    abril 30, 2012
  7. I’m trying to update three separate sites but when I click “Update Framework” I get a message reading.

    “You have the latest version of WooFramework

    → Your version:” old_version_number (Showing versions, 3.7.03, 4.5.1, & 4.6.0) for the three sites. Do I need to download this and install it manually? If so, where can I go to do this?

    TY

    Todd
    abril 30, 2012
  8. Appreciate that you boys have had some rough days, but some of us have had our accounts “expire” – are you working on fixing that?

    Johnny
    abril 30, 2012
  9. Hi Beth, Todd,

    To manually upgrade the WooFramework, please see our guide here: http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6

    Hi Johnny.

    We are aware of the subscription expiration issue and will be looking into it over the next few days. 🙂

    Matty Cohen
    maio 1, 2012
    • OK, I tried to follow that link which brought me to a login page stating “This resource is only available to registered WooThemes users.” I then log in and I’m redirected to “http://woocommerce.com/dashboard/” and so when I try to paste the URL into my address bar (having just logged in) it takes me back to the “This resource is only available to registered WooThemes users.” page. Any insight into why I’m unable to find the page you’re linking to?

      TY

      Todd
      maio 1, 2012
      • I’m having the exact same problem as Todd, and am also unable to post about the issue in the forum — it let’s me compose my forum post, but then the submit button does nothing at all.

        Julie
        maio 1, 2012
        • I’m having the same problem – the tutorial asks me to log in, even when I’m already logged in, so I can’t view it. If I log in on the prompt page, it just takes me to the dashboard.

          Evan
          maio 1, 2012
          • Same issue here as all of the previous commenters noted.

            I should also note that the “Update framework” button has NEVER worked for me.

            Will we get any clarification on this?

            Konstantinos
            maio 1, 2012
          • Same exact issue here. Logged in, click link and am asked to login again, when I do I go to Dashboard.

            Casey
            maio 1, 2012
      • Todd, Julie, Evan, Konstantinos,

        The login issue is a known issue at present, which our team are working to resolve.

        Please email us on techsupport [at] woocommerce.com where we can assist with the upgrade, if you’re having difficulty accessing the forums as well.

        @Konstantinos – The “Update Framework” link may not be working for you due either to a permissions issue with your “wp-content” folder not being able to be written to, or due to your server not allowing the connection to be made to retrieve the information about the update.

        Our sincerest apologies for the inconvenience caused here, all.

        Matty Cohen
        maio 1, 2012
        • I just wanted to say that I was having the same issue in regards to automatic upgrades, that my version of Unsigned was not recognizing that there was a new update. So I changed the permissions on wp-content to 777 from 755, and it allowed me then to see “A new version of WooFramework is available.”

          gray ayer
          maio 2, 2012
          • Whenever you do get it upgraded, please remember to change your permissions back!

            Ryan Ray
            maio 2, 2012
      • Again, same here

        lukek
        maio 1, 2012
      • Having same problem.

        Rebecca
        maio 1, 2012
    • I’m having the same problems…when I click on the link above…it’s asks me to login…then it just takes me to the dashboard. When I try to enter in the link again…same thing…so I can’t get to the tutorial on how to manually update the framework.

      Tony Oravet
      maio 1, 2012
      • Hi Tony,

        Please e-mail us on techsupport[at]woocommerce.com if the link to the tutorial doesn’t work after logging out, clearing your browser’s cache and logging back in.

        From there, our ninjas will assist in getting the upgrade to you. 🙂

        Matty Cohen
        maio 1, 2012
    • Hi! I can’t access this link. Every time I click it it takes me to the WooThemes login page (even if I’m already logged in!) and won’t take me any farther.

      – Update Framework page says I have the “most recent version” – 5.1.4 and I can’t get at the page to manually update.

      I’m running in circles here – please help!

      Joanna Meyer
      maio 1, 2012
      • Joanna,

        The update functionality from within the theme options should be working now, please let us know if it is.

        You shouldn’t need to manually do so now. 🙂

        Ryan Ray
        maio 2, 2012
  10. Have attempted to download via automatic update and get the message that I have the latest version (5.3.11). I try to login to my account and get the message that I have an expired membership–which I do not. Any help would be appreciated. I am concerned that more information wasn’t available regarding the critical nature of this exploit as well. It makes me worry about my woothemes websites (approximately 25 of them). I really like woothemes, but I lost a lot of time during the timthumb exploit and do not like the idea of having this issue again.

    Joe Watts
    maio 1, 2012
    • Hi Joe,

      Regarding your subscription, we’re currently in the process of restoring this data. Thank you for your patience in this regard.

      I’d advise performing a manual upgrade, as outlined in our tutorial here: http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6

      Our sincerest apologies for the inconvenience caused here.

      Thanks and regards,
      Matty.

      Matty Cohen
      maio 1, 2012
  11. A blog comment (by Mark Lowe) on this article on memeburn.com, claimd there may be an exploit in the .12 framework.
    Can you pleas advise if it is safe to apply the .12 fix?

    http://memeburn.com/2012/04/premium-wordpress-theme-developer-woothemes-hacked/#comment-513968267

    Steve
    maio 1, 2012
    • Hi Steve.

      I can confirm that Mark Lowe is incorrect. The file he’s referring to would be injected only to vulnerable websites. In his case, I’d upgrade to V5.3.12 and then change all passwords (FTP, CPanel, Database, WordPress, etc).

      Matty Cohen
      maio 1, 2012
  12. I can’t update either b/c it says it’s already up to date w/ an outdated version. My theme updates never come through the admin either.

    vrob
    maio 1, 2012
    • Hi vrob,

      Please see our tutorial here ( http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6 ) for steps to perform a manual upgrade.

      Thanks.

      Matty Cohen
      maio 1, 2012
      • Ok, but that’s a pain…do you know why the dash upgrade isn’t working for so many people? I’d feel better if you had this on your radar and were trying to fix it…

        vrob
        maio 1, 2012
      • Ok–Just tried to read the instructions to manually update and I get the same login loop others describe, so I log in, then try to access the page and it tells me to log in. So it’s nice that you’re telling everyone to upgrade, but send me another email when you fix the upgrader or the login loop…

        vrob
        maio 1, 2012
  13. Hiya. Perhaps emailing users when there a critical update is available might be in order? Especially when an exploit is found …

    Trace
    maio 1, 2012
  14. New framework successfully updated
    thank you

    Marie
    maio 1, 2012
  15. I hit update framework in my WordPress and all I get is “You have the latest version of WooFramework

    → Your version: 5.1.3”.

    This is ridiculous, people/ I’ve had my whole hosting account hacked and infected because of WooTheme bugs. Hire some security expert.

    Egor
    maio 1, 2012
    • Hi Egor,

      Our sincerest apologies for the inconvenience caused here.

      I can assure that we’re doing all we can to rectify the situation as best we can.

      Matty Cohen
      maio 1, 2012
  16. I noticed a problem when I updated canvas to 4.7.11. When trying to add a new menu item in one of my menus a pop-up would come up saying “Are you sure you want to do this?” with no option. Actually deleted V 4.7.11 and reinstalled V 4.7.9. Now am able to update menus but frame work update is not yet a reality. Will try to be patient as I have been in this situation myself.

    Tony
    maio 1, 2012
    • Hi Tony,

      This issue has been rectified in V5.3.12 of the WooFramework.

      I’d recommend performing the same manual upgrade as you did when reverting to V4.7.9, except with V5.3.12.

      Please e-mail techsupport [at] woocommerce.com if you encounter issues, either with the automatic updater or with posting in the forum or viewing the tutorial here: http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6

      Thanks and regards,
      Matty.

      Matty Cohen
      maio 1, 2012
  17. I have a combination of EGOR’s problem JOEY WATT’s

    My WooFramework’s say “You have the latest version of WooFramework” when it really IS NOT (5.13, 5.0.2, or less)

    AND

    I have the expired membership problem. So when I visit your link to MANUALLY UPGRADE the framework with the tutorial, it brings me to the Expired subscription page. Can’t upgrade anything and can’t even read about it do it manually.

    Love the themes, love the support, but is really getting ridiculous …

    Mike
    maio 1, 2012
    • the manual framework upgrade link started working for me so that is fixed **

      Mike
      maio 1, 2012
      • Thanks for letting us know, Mike. 🙂

        Matty Cohen
        maio 1, 2012
  18. Same:

    You have the latest version of WooFramework

    → Your version: 5.3.11

    Tom
    maio 1, 2012
    • Hi Tom,

      If the above-mentioned tutorial link isn’t visible to you, please let us know of techsupport [at] woocommerce.com and we’ll assist you in upgrading. 🙂

      Matty Cohen
      maio 1, 2012
  19. Hi team,

    I see this message:

    You have the latest version of WooFramework

    → Your version: 5.3.3

    No updates for a recommended V5.3.12 is available.

    Regards,
    Igor

    Igor
    maio 1, 2012
    • Hi Igor,

      Please see the link to our manual upgrade tutorial above.

      Our sincerest apologies for the inconvenience caused here.

      Thanks and regards,
      Matty.

      Matty Cohen
      maio 1, 2012
  20. Sorry, I’m logged out every time I try to reach the link to the manual update entry. What can I do?

    tmeise
    maio 1, 2012
    • Hi there.

      Please e-mail support [at] woocommerce.com and we can assist with the update.

      Our sincerest apologies for the inconvenience caused here.

      Matty Cohen
      maio 1, 2012
  21. Howdy woo – great to see you back – ive upgraded my woo framework and I get the message: “all up to date on 5.1.6” no mention of 5.3.12? Any ideas?

    allmyhoney
    maio 1, 2012
    • Hi there. 🙂

      We’d recommend a manual upgrade in that case. Please see the blog post for a link to the manual WooFramework upgrade tutorial.

      If this tutorial is inaccessible to your WooThemes account, please e-mail us on support [at] woocommerce.com and we’ll assist with getting you upgraded. 🙂

      Matty Cohen
      maio 1, 2012
      • il send in an email matty as I cannot download anything right now from woo – even after reactivating 🙁

        allmyhoney
        maio 1, 2012
  22. There is another download link for the latest Framework file on this member forum post: http://woocommerce.com/support-forum/?viewtopic=75054

    Thomas
    maio 1, 2012
  23. I can login to my account, but I’m one of the users that has the message that the account is no longer active. I can’t get to the manual framework link because the site logs me out on clicking the link, and on logging back in I’m taken elsewhere.

    @thomas – thanks, I’ve at least got hold of the framework now.

    Could someone confirm how I update it? Do I just unzip if over the Theme name folder? Maybe a cut ‘n’ paste from the tutorial that we can’t reach to a sticky on the forum, and/or this blog post?

    Sandie
    maio 1, 2012
    • OK, overwriting the files doesn’t work.

      Just received general email pushed out, which doesn’t contain instructions.

      HELP!

      Sandie
      maio 1, 2012
  24. I’ve logged in but I can’t enter (http://woocommerce.com/2009/08/how-to-upgrade-your-theme/) this page. I’m sure this is not a cookie issue, I have dashboard access.

    Mustafa
    maio 1, 2012
  25. Why you are not writing the direct link to WooFramework 5.3.12?http://woocommerce.com/updates/framework.zip

    Tom
    maio 1, 2012
  26. I’ve got the same issue with the link that Mustafa mentions.

    Keith
    maio 1, 2012
  27. Ok

    Lets go through some of the issues here that I (and maybe others are experiencing) I have a subscription account which doesn’t work, it tells me it has expired. I have sent a number of emails to support but have yet to have issue rectified.

    I have a number of high value clients that would be mortified to know there websites are vulnerable.

    Many of the sites I have tried to update the framework with tell me I have latest version of framework when I clearly dont.

    I cant access latest files because logins dont work and there is nothing for me to download – even though I should have access to all.

    I understand the problems Woo are facing but these are serious times.

    Still waiting

    Peter

    Peter Ricci
    maio 1, 2012
  28. Geez Users – backoff. Give this provider some time to rectify things. Just because we don’t have the latest framework is NO reason to panic. Hell, we’ve probably been at risk for some time. And, the truth be known, there are probably other vulnerabilities in our themes and frameworks. So, get over it! Just make sure you actually back your sites up routinely and then you can breath. Gosh sakes.

    Marcus Tibesar
    maio 1, 2012
    • Marcus

      No one is abusing Woo here. However when you cannot access certain information, when it is critical to do so, then of course people are anxious.

      Your assertion that we have probably been at risk for sometime, is weird. There is a difference between security vulnerabilities being published online by others and a security notification by the company itself.

      Very different!

      Peter

      Peter Ricci
      maio 1, 2012
  29. The 5.3.12 update doesn’t show for me on the “Update Framework” menu. so i tried to upload manually by logging in. i realized that i forgot my password on Woothemes. so i clicked Lost Password? then wrote me email. I got an email saying “This site requires JavaScript and Cookies to be enabled. Please change your browser settings or upgrade your browser.” so sending new password system is not working…

    Volkan
    maio 1, 2012
  30. Good luck on sorting all this guys and well done on efforts so far, but I’m one of the many frustrated people who cannot update.

    The dashboard doesn’t work – it says I’m on the latest where I’m not.

    The manual link to update doesn’t work – it just loops me around login/dashboard and never shows the page.

    There is no where else to download 5.3.12 from.

    So you have a fix, but there is no way for me to actually access it. Can someone else who has 5.3.12 upload to somewhere else and provide a link here please? I have multiple vunerable sites that need patching ASAP!

    Thanks in advance.

    (oh and to top it all off, the createsend mailer that just came out from Adii is a little broken too (i.e. techsupport@ mailto link is broken).

    I know you’re trying your hardest but I think you need to make this update publically available on a trusted server/3rd party host as soon as possible, instead of relying on people being able to access it through the woo domains which just isn’t working for me and many others.

    Pete

    Pete Meadows
    maio 1, 2012
    • OK, I’ve got working links. I’m not sure if there was a good reason for not publicly posting the framework link – could that lead to more attacks? So I’ll post the link that works for me and the method that worked for me in the General forum ASAP. Keep refreshing 😉

      Sandie
      maio 1, 2012
  31. Can you simply post the instructions here? I submitted a support ticket email almost an hour ago with no reply. I cannot access the instructions page because it keeps asking me to log into the website when I am clearly logged in.

    idEric
    maio 1, 2012
    • I couldn’t access the instruction page either, but I can now access the forum.

      You need to use the download to replace the existing theme functions folder.

      Sandie
      maio 1, 2012
      • Great, thank you.

        idEric
        maio 1, 2012
  32. Hello Guys,

    I have tired to update the WooFramwork through the dashboard however, when I try I get this error “Failed: Filesystem preventing downloads. ( ftpext)”.

    What should I do next?

    Mike
    maio 1, 2012
  33. everytime I go to that instruction page for the framework I get logged out and cant see anything

    mike
    maio 1, 2012
  34. hi do we need to update woocommerce?

    vivedesigsn
    maio 1, 2012
    • You should always keep WooCommerce up to date.

      James Koster
      maio 1, 2012
  35. Hi,
    I can’t update the woo framework automatically from my theme (inside admin area), and every time I click on the instructions for the manual update, I get logged out and I can’t see them…
    Please forward a link to the manual instructions which I can see (it seems that Mike has the same problem!).
    Thanks,
    Kenny

    Kenny
    maio 1, 2012
  36. Hi all,

    Yes, there was a good reason for not posting the direct link to the ZIP file here.

    If you encounter issues with the automatic updater, please download the ZIP file from the link that several commenters have now posted.

    The steps are:
    – Download ZIP file, either from the direct link posted by several commenters here, or by e-mailing us for the ZIP file.
    – Backup your entire theme onto your computer. This is a precaution in case you need to revert to the previous version you were running.
    – Unzip the WooFramework ZIP file downloaded in step 1.
    – Remove all files from the “functions” folder inside your theme via FTP.
    – Replace the content of the “functions’ folder inside your theme with the contents of the ZIP file unzipped above.

    You should now be running the latest version of the WooFramework.

    Please see above in the blog post as well. If you encounter issues with these steps or with the download, please contact us directly on techsupport [at] woocommerce.com rather than commenting here. 🙂

    Thanks and regards,
    Matty.

    Matty Cohen
    maio 1, 2012
  37. “I can’t update the woo framework automatically from my theme (inside admin area), and every time I click on the instructions for the manual update, I get logged out and I can’t see them…
    Please forward a link to the manual instructions which I can see (it seems that Mike has the same problem!).
    Thanks,
    Kenny”

    I have got the same problems, I cannot access the instructions for manual update. When trying to access it, I have to login and get redirected to my account dashboard.

    Please, let me know how to access the manual update instructions.

    Ellen
    maio 1, 2012
    • Hi Ellen,

      I’ve added manual update instructions to this blog post.

      Our sincerest apologies for the inconvenience caused here.

      Matty Cohen
      maio 1, 2012
      • Hi Matty!

        Thanks for the instructions. (Your post was published, when I was still writing mine, sorry if I seemed concerned or impatient.)

        I could update all of my woothemes’ framework.

        Ellen
        maio 1, 2012
  38. This is getting old, timthumb and now this?

    JB
    maio 1, 2012
  39. The below works just fine. Make a complete backup first

    http://woocommerce.com/updates/framework.zip

    Replace all files in the /functions directory

    Now you have manually patched the framework

    Michael

    Michael
    maio 1, 2012
  40. I’m running Framework 2.7.10 and watched a video on the Woothemes site about being able to update your framework via WordPress. I don’t know what’s wrong, but there is no button in my Busy Bee section of WordPress that allows me to update the framework. I don’t know how to update it manually because the instructions are confusing me.

    Stevie
    maio 1, 2012
    • Hi Stevie,

      We’d definitely recommend upgrading from a V2.x of the WooFramework. I don’t believe automatic updates were present in those versions, unfortunately.

      If you require assistance in performing this upgrade, please e-mail us on techsupport [at] woocommerce.com.

      To rephrase the instructions, it would be:

      – Backup your theme from your website (via FTP) onto your computer.
      – Download the ZIP file linked to above and unzip it.
      – Via FTP, remove the contents of the “functions” folder of the theme.
      – Replace the contents of the “functions” folder with the contents of the ZIP file unzipped in step 2.

      I hope that helps. If not, please e-mail us and we can assist. 🙂

      Thanks and regards,
      Matty.

      Matty Cohen
      maio 1, 2012
  41. I submitted a help ticket on this but maybe this thread will be quicker. I did a manual update because the install didn’t see it needed to be updated. I forgot to empty the functions folder first. I copied over the new files and overwrote everything which seems like it should still be fine. However I now have an error message and the site doesn’t come up.

    Fatal error: Cannot redeclare woothemes_more_themes_page() (previously declared in /home/jenna/public_html/chinatrip/wp-content/themes/postcard/functions/admin-functions.php:2476) in /home/jenna/public_html/chinatrip/wp-content/themes/postcard/functions/admin-theme-page.php on line 64

    I’m wondering if not emptying the folder caused this or what else did. Also wondering if there’s a fix other than restoration. It makes me not want to do the manual update on any of installs until I know why this one went awry.

    Thanks,
    Sheila

    Sheila Hoffman
    maio 1, 2012
    • Hi Sheila,

      Removing the “admin-theme-page.php” file should resolve this. If not, please e-mail us on techsupport [at] woocommerce.com where we can assist directly. 🙂

      Thanks and regards,
      Matty.

      Matty Cohen
      maio 1, 2012
      • Thanks Matty. But removing that file did not fix it. I’ve put in to my host to restore the site at this point. But I’m nervous to try this on another site. Do you think it was caused by not emptying that folder first?

        Sheila Hoffman
        maio 1, 2012
        • Hi Sheila,

          That’s possible, yes.

          If you encounter further issues of this nature, please e-mail techsupport [at] woocommerce.com where our ninjas are on hand to assist. 🙂

          Matty Cohen
          maio 1, 2012
          • Per your request I emailed on May 1. On May 3 Tiago Noronha asked for my login credentials and told me s/he would look into it and would do the upgrade for me. It’s now May 11 and I haven’t heard back. I emailed again to touch base and got an automated response back that I should post! Instead of starting a new forum thread I thought I’d ask you here if someone is still looking into this for me or what my next steps are. I basically have failed to do the manual upgrade twice from v2.2.3 of the framework. Thank you.

            Sheila Hoffman
            maio 12, 2012
          • What is the link to your forum thread?

            Magnus
            maio 12, 2012
          • Odd, it won’t let me respond to you under your question but it will here!

            There isn’t a link to a forum thread. I had posted here (see above) and was asked to email support. I did so and by email was asked for login credentials which I sent. I have successfully manually updated another Postcard themed site. But this one failed twice requiring a backup restore. The site has framework 2.2.3 installed with Postcard v1. The other one I updated had a newer version. I’m guessing that could be the issue. If you guys can’t help me I was thinking I’d do a data backup and try starting from scratch on a dev site with a new install and import my data. I just have to be sure I find and transfer any customizations. I did this site a LONG time ago and it was pro-bono so I really don’t want to put a ton of time into it. But I’m worry about leaving it vulnerable.

            I can email my credentials again if that would help. This is what I received ….

            MAY 03, 2012 | 07:53PM CAT
            Sheila,

            Can you send us your WordPress admin & FTP login so we can debug the issue?

            I’ll personally update the theme framework for you. 🙂

            Thanks!
            Regards,
            Tiago

            Sheila Hoffman
            maio 12, 2012
          • OK, after typing my last post I decided to take the bulls by the horns. I read how to update the theme and indeed, doing so fixed the problem. So I’m good-to-go now. It might’ve been helpful if someone has simply suggested that to start with. Everything I read said the theme version didn’t matter it was the framework that needed updating. But with a v1 theme it simply didn’t work. Happy to close my needs out.

            Sheila Hoffman
            maio 12, 2012
    • Sheila, Did removing “admin-theme-page.php” help? I removed it and received additional errors like:

      Warning: require_once(/nfs/c04/h02/mnt/80256/domains/blog.eduardogonzalezloumiet.com/html/wp-content/themes/mainstream/functions/admin-theme-page.php) [function.require-once]: failed to open stream: No such file or directory in /nfs/c04/h02/mnt/80256/domains/blog.eduardogonzalezloumiet.com/html/wp-content/themes/mainstream/functions.php on line 18

      Fatal error: require_once() [function.require]: Failed opening required ‘/nfs/c04/h02/mnt/80256/domains/blog.eduardogonzalezloumiet.com/html/wp-content/themes/mainstream/functions/admin-theme-page.php’ (include_path=’.:/usr/local/php-5.2.17/share/pear’) in /nfs/c04/h02/mnt/80256/domains/blog.eduardogonzalezloumiet.com/html/wp-content/themes/mainstream/functions.php on line 18

      Eduardo Gonzalez Loumiet
      maio 1, 2012
      • Hi Eduardo,

        Your “functions.php” file is calling the “admin-theme-page.php” file.

        Commenting out or removing this line from your “functions.php” file would resolve this.

        The alternative is also to upgrade to the latest version of your theme, using the download from your WooThemes Account Dashboard. 🙂

        If you encounter issues with commenting out the legacy code in your “functions.php” file, please e-mail techsupport [at] woocommerce.com where our ninjas are on hand to assist. 🙂

        Matty Cohen
        maio 2, 2012
  42. I am really frustrated that the tutorial page isn’t working:

    http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6

    I just get to the login page (although I’m already logged in). I try again and the page refreshes. No tutorial – when I need it the most.

    Please, woo guys, figure out a way that we don’t have to go through anything like this again.

    Peter
    maio 1, 2012
    • They’ve pasted the tutorial at the top of the page mate.

      lukek
      maio 1, 2012
  43. I have no idea how to do steps 2, 4 and 5 from your instructions. I have never used FTP or done a manual backup. Those of us who are not techies require more specific instructions, please. How do you “backup your theme to your computer”?

    scott
    maio 1, 2012
    • Step 2 :
      Log in to your WordPress installation. On the left-hand menu, click on the menu item which displays the name of your theme. Click on ‘Backup Settings’. There are two backups to complete, the WooThemes one, and at the top of that page you’ll see a link to the WordPress Export Tool. Since it sounds like you haven’t been taking backups of your site to date, suggest you complete both backups 😉

      If you can get into the forums, you’ll find other help there 😉

      Sandie
      maio 1, 2012
    • Scott,

      The FTP related steps involved connecting to your web server using an FTP program such as “Transmit” for the Mac, or FileZilla (or another such program) for Windows.

      From there, you’d navigation to your “themes” folder and drag the folder containing your theme’s files onto your computer’s desktop.

      We recommend a backup of the physical files, just in case you ever need them.

      If you’d like us to assist, please e-mail us on techsupport [at] woocommerce.com.

      Matty Cohen
      maio 1, 2012
  44. Great. I have invested way too heavily in Woo. I have quite a few site with your themes and non of them can be updated automatically for some reason. I’m on a satellite connection and this is going to kill a day or two of my time just to fix this via FTP.

    Thanks for the notice though.

    JPatt
    maio 1, 2012
  45. The auto update and manual updates ARE NOT WORKING! The link in this post send you into an infinite login loop. Same for the link in the email that Adii sent out earlier today.

    Smoovep
    maio 1, 2012
  46. As mentioned above, the Framework auto updates are not working (Canvas). When one goes to the Update Framework page, it shows that it has the latest version (5.2.2) even when this is not the latest version. I know you guys have had a hard week (understatement), but this needs to be fixed.

    Frank McClung
    maio 1, 2012
  47. I’m not a coder/developer/hacker but a possible idea to deal with some security issues:

    Create a fund/reward system to pay individuals who find major bugs in Woo products and report them to you guys first confidentially. Just some incentive for people to hack away at your system and report instead of taking it down.

    M
    maio 1, 2012
  48. Hi all,

    If you see a comment that is the same issue that you’re experiencing, we are aware of it. There’s no need to repost about the same issue. 🙂

    Please follow the steps in the blog post above. If you get stuck with these steps, please e-mail us directly, rather than commenting on this blog post (this is a blog post for conveying information. Support can be done via the Support Forums or over e-mail at techsupport [at] woocommerce.com if you require assistance with the steps).

    Thanks all. We really appreciate your patience during this time and are very sorry for the inconvenience caused here.

    Matty Cohen
    maio 1, 2012
  49. Question: If the themes are up-to-date why would we have to change out the files in functions folder? Why would we not just update the theme and be done with it?

    jpatt
    maio 1, 2012
    • Hi jpatt,

      The theme version and WooFramework version are different entities. Having an up to date theme doesn’t constitute having an up to date WooFramework, and visa versa.

      More information on this can be found in a blog post we published on what components make up a WooTheme. 🙂

      The reason for changing out the entire “functions” folder is to ensure that all files are fresh versions (it’s also easier than updating just one or two files). 🙂

      Matty Cohen
      maio 1, 2012
      • Got it. An updated theme may not include the latest framework.

        Jpatt
        maio 1, 2012
  50. May I suggest maybe faster way to update for those with ftp challenges. Not sure if this is woo approved or not. Not sure of reason for not just replacing theme.
    Idea:
    Open extracted Framework file. Copy files (select > copy)
    Open extracted woo theme. Go to functions folder. Delete files. Past in new ones. Compress theme again. Re-install via WordPress.

    Just suggesting – May not work for reasons unknown to me. – Not necessarily woo approved.

    jpatt
    maio 1, 2012
  51. The link at the top of this post and manual update via FTP worked for me on two sites just now. No love on the auto update from the dashboard, but the manual was fairly painless. FYI…

    John
    maio 1, 2012
  52. Followed the (very simple) steps for the Manual update (DLd the zip etc.) and all seems fine in that I was running 4.2.1 and its now showing I’m running 5.3.12, BUT it also says,

    Old version of TimThumb detected in your theme folder. Click here to update.

    Yet, I literally just DLd the zip, so would have thought I have the latest of everything… Don’t want to undo what I just did, so wondering do I click or not click?

    Claire

    PS. Appreciate your transparency, service dedication etc. and am sending virtual hugs/high fives/positive thoughts your way. Must have been a nightmarish week at Woo Towers. Thank you. 🙂

    Claire Raikes
    maio 1, 2012
    • Hi Claire,

      I suspect the TimThumb was detected in your theme. I’d recommend letting the TimThumb detector do it’s task, which will convert to using the latest version of TimThumb, which is available in the WooFramework.

      Thanks for your support, Claire. 🙂

      Matty Cohen
      maio 1, 2012
  53. Hi,
    I just downloaded your free theme, swatch. It still has the preview shortcode file with all the code intact.

    Satish Gandham
    maio 1, 2012
    • Hi Satish,

      We’re currently updating all theme packages. Please bear with us while the updated files upload.

      Thanks. 🙂

      Matty Cohen
      maio 1, 2012
  54. Well I give up, I asked for help via email as I can’t get framework updated via the themes dashboard or through the link here and I was given the link to this page again.

    Barbara
    maio 1, 2012
    • Don’t give up 😉 The blog post above has been updated with instructions, (including a link that works for those of us that couldn’t use the previous link). If that doesn’t work, try the forum or e-mail support.

      Sandie
      maio 1, 2012
  55. I am puzzled.

    According to the indicator on my Theme Options page as well as the info on my Update Framework page, I’m running 5.3.7

    How to I upgrade from 5.3.7 to 5.3.12? Wouldn’t that be a downgrade?

    I’m running Emporium as my theme.

    What gives?

    Seth
    maio 1, 2012
    • Last time I checked, 12 is higher than 7, this this is definitely an upgrade 🙂

      Wil
      maio 1, 2012
      • You, sir, are absolutely correct.

        Until you pointed it out, I was reading it as 5.3.7 vs 5.3.7.1.2

        I always use single digits between dots for my plugin / theme versions…

        Thanks for setting me straight. I’m off to upgrade!

        Seth
        maio 1, 2012
  56. Hi there,
    I just replace manual and it works 🙂

    Should I update my WP to the 3.3.2 version ?

    Thank you!

    Lupisima
    maio 1, 2012
    • Hi Lupisima,

      We’d recommend keeping your WordPress installation up to date on a regular basis, yes. 🙂

      Matty Cohen
      maio 1, 2012
  57. OK, I manually updated the functions folder EXACTLY as detailed here. I am getting a fatal error now!!!!!!!!!!!

    Fatal error: require_once() [function.require]: Failed opening required ‘/home/YADDAYAYAD/public_html/MYBLOG/wp-content/themes/freshnews/functions/admin-theme-page.php’ (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/YADDAYADA/public_html/MYBLOG/wp-content/themes/freshnews/functions.php on line 18

    ??? I am not a tech expert. Please tell me what this means. I have Woo Themes on 5 of my sites, all are commercial sites. This is atrocious.

    Rebecca
    maio 1, 2012
    • Hi Rebecca,

      This file should not be present on the server, nor required by another file.

      Please e-mail us on techsupport [at] woocommerce.com where we can assist with this upgrade.

      You may need to comment out a line in the “functions.php” file of Fresh News, I believe.

      Matty Cohen
      maio 1, 2012
      • Update: This line isn’t in the latest version of Fresh News’ “functions.php” file. I suspect you’re running an older version of the theme (which should be fine, by the way) and would just need to patch one line in your “functions.php” file. 🙂

        I’ve informed the team to keep an eye out for your e-mail and what the issue is. 🙂

        Matty Cohen
        maio 1, 2012
        • Matty: THANKS for the speedy response. Yes, i am using an old theme version. I emailed techsupport. I hope they answer soon! 🙂 THANKS!!!!!

          Rebecca
          maio 1, 2012
  58. I tried to go to the link you provided to manually update my theme (http://woocommerce.com/2009/08/how-to-upgrade-your-theme/#update-6), but I get a login page and I am not a subscriber. I’m using the Bueno theme. How can I get the instructions?

    Joe
    maio 1, 2012
    • Hi Joe,

      Please see the updated blog post above, containing instructions. 🙂

      Thanks and regards,
      Matty.

      Matty Cohen
      maio 1, 2012
  59. I’ve written a quick and dirty mass updater for other hosting companies.

    https://github.com/zippykid/wooframework-updater

    Would love some update from the woo guys directly if possible.

    Vid Luther
    maio 1, 2012
  60. Did you create a backup before deleting the files in the functions folder? If so, I would recommend putting the backup back into place. Then check if the functions folder includes a file called admin-theme-page.php

    If so, tell us which version of freshnews theme are you running on?

    Alengio
    maio 1, 2012
    • Ooops, never mind above post. I see Matty is helping Rebecca in the right direction already. Matty, need some red bull? 😉

      Alengio
      maio 1, 2012
      • HAHA! 🙂

        Rebecca
        maio 1, 2012
    • I’m using Fresh News 2.3.1 on 4 sites. I’ve only tried updating 2 so far, both get that fatal error thing. I did not backup the functions folder but I backed up my sites (mySQL databases) and the directory backup. I sent a quick email to techsupport as Matty asked.

      Rebecca
      maio 1, 2012
      • Seems you made a correct backup. Which means if things can’t be solved you can go back to how is was before and start “fresh”.

        But I am sure the support e-mail will get you back on track .

        Good luck!

        Alengio
        maio 1, 2012
  61. I’m running Kaboodle & Kaboodle Commerce themes. I was able to manually update to the recommended framework for Kaboodle, but is there anything that I need to do for the ‘kabboodle-commerce” theme?
    Thanks,
    Rebecca

    Rebecca
    maio 1, 2012
    • As long as your framework now says 5.3.12 you have done all the steps needed to fix framework problems.

      Updating your theme is something different from the framework. So it’s up to you if you can and want to update that.

      Alengio
      maio 1, 2012
    • Hi Rebecca,

      Our child themes don’t contain the WooFramework so no, those don’t require a WooFramework update.

      Glad to hear you’re up to date. 🙂

      Matty Cohen
      maio 1, 2012
  62. Hi there,

    So I’m on framework 5.3.12 now (I upgraded manually) on WP version 3.3.2. WP tells my that all my themes are up-to-date, but I run Digital Farm version 1.2.0. However, I see a new version of Digital Farm 1.4.3 available on Woothemes. I’ve 2 questions: is my site still vulnerable for this exploit? And two: how can I perform a safe and manual upgrade of the Digital Farm theme?

    Thanks!

    Lodewijk
    maio 1, 2012
    • Answer 1: You are save now!

      Answer 2: You can log into woothemes site, then download latest theme version, then install new(er) theme as you install any theme. This can be done using WP backend or through FTP. Or you can read the install instructions in the enclosed PDF file in the zip you downloaded.

      Hopes this helps!

      Alengio
      maio 1, 2012
      • …thanks for your info!

        But I cannot install Digital Farm -via the backend- as a new theme because the target folder ‘digital farm’ already exists and it won’t override. In the zip file is no PDF file with instructions available, only a changelog.txt. So I would like to know what the procedure is for manually updating the theme…!

        Lodewijk
        maio 1, 2012
        • Unzip the zip.

          Find the folder which includes the theme.

          It’s probably called something like digital farm.

          Rename it something like digital-farm-v.X.X.X

          Then use FTP to upload folder into your wp-content/themes folder

          Go to the WP backend. The theme should now be shown but not yet active. You can choose to activate it.

          Ofcourse before doing all this, please make backup. This is always good practise and hopefully will cheer up Mark! 😉

          Alengio
          maio 1, 2012
  63. Everyone crying that your site is f’d up now – I suggest you’re likely not a professional user, and you could fo those of us who are a favor by getting out of the way and accepting the downtime while this gets sorted out.

    If you’re actually a professional user who applied changes to your live site that cause it to go down, then you could use a couple of the most basic pointers that will serve you well in your future carrear as someone that runs live code requiring 100% uptime:

    – Always apply any changes to a development copy of your site first, to make sure it works without issues.
    – Have backups. Always. Lots.

    Mark
    maio 1, 2012
  64. I use Canvas Buddypress theme. Should I update anything besides the function folder inside Canvas theme?

    Tita
    maio 1, 2012
    • Hi Tita,

      The child theme should use the WooFramework from the parent Canvas theme, so updating the “functions” folder in Canvas should get you up to date. 🙂

      Matty Cohen
      maio 1, 2012
      • Ok. Thanks!

        Tita
        maio 3, 2012
  65. …thanks for your info!

    But I cannot install Digital Farm -via the backend- as a new theme because the target folder ‘digital farm’ already exists and it won’t override. In the zip file is no PDF file with instructions available, only a changelog.txt. So I would like to know what the procedure is for manually updating the theme…!

    Lodewijk
    maio 1, 2012
    • Unzip the zip.

      Find the folder which includes the theme. It’s probably called something like digital farm.

      Rename it something like digital-farm-v.X.X.X

      Then use FTP to upload folder into your wp-content/themes folder

      Go to the WP backend. The theme should now be shown but not yet active. You can choose to activate it.

      Ofcourse before doing all this, please make backup. This is always good practise and hopefully will cheer up Mark! 😉

      Alengio
      maio 1, 2012
      • Thanks again…this works for me!

        Lodewijk
        maio 1, 2012
  66. Oh my word, I just updated my themes and I LOVE THE NEW THEME options. From there, the framework update worked perfectly (for 2 out of 4 sites so far).

    Maybe many of the problems users are having are because they are not running the most recent theme versions, eh? Perhaps users should be notified and that would quell a lot of confusion? Just sayin.

    Thanks Matty and Alengio for your support. Thanks to guys like you, WooThemes rocks.

    Rebecca
    maio 1, 2012
    • Thanks Rebecca. We’re glad you like the WooFramework update and are up to date with things. 🙂

      I believe the other two websites you’re running with Fresh News (if I remember correctly, all 4 websites are running Fresh News?) would require a theme update as well, or to comment out the “admin-theme-page.php” file call in your “functions.php” file.

      Again, really glad you’re up to date. Please let us know via an e-mail to techsupport [at] woocommerce.com if you require assistance with your remaining updates. 🙂

      Matty Cohen
      maio 1, 2012
  67. Note that if anyone installed, or had automatically installed, v1.3.1 of the VaultPress plugin it may have broken your website. I’m running Gazette Edition and when they pushed out v1.3.1 my website just showed a blank page with no data. I narrowed it down to their plugin and retrograded down to v1.3 to fix my site. Here’s what I got today in email from VaultPress:

    “Today, we tried to update your site to VaultPress 1.3.1 with a WooThemes framework security hotfix. VaultPress 1.3.1 had a problem that caused an error for a small number of our customers. We pinpointed the problem, fixed it, and released VaultPress 1.3.2.

    Your site is running version 1.3.2 so you’ve already been updated and should not see an error.”

    They did give me credit for their subscription due to the error. Hopefully nobody did a manual plugin upgrade to v1.3.1 as they would have to manually upgrade to v1.3.2 if they don’t have the automatic feature turned on.

    Baron
    maio 1, 2012
  68. Is there some reason the framework.zip file is so hard to download?

    I’d like to globally apply it to all my woothemes-based sites, so I figured a good start would be to download it via the terminal, i.e.

    wget http://woocommerce.com/updates/framework.zip

    but this results in “This site requires JavaScript and Cookies to be enabled. Please change your browser settings or upgrade your browser.”

    I’m trying to have patience about this security problem, but it’s hard when
    (1) the auto-updater on most of my sites doesn’t work, reporting things like “your version 5.3.1 is up-to-date”
    (2) I can’t download the new framework ZIP file as easily as I can update (for example) wordpress.org/latest.zip

    Canton
    maio 1, 2012
    • Do you want me to send it to your gmail?

      a
      maio 1, 2012
    • Hi Canton,

      We are currently looking into these issues. I’d advise downloading the file via the browser in the interim.

      Downloading via the browser should allow you to then access the file via Terminal and perform your desired updates. 🙂

      Matty Cohen
      maio 1, 2012
  69. I also have the problem on multiple sites where it says that I have the latest version of the framework when I don’t. And I prefer not to manually update every site.

    Why are you simply providing a workaround for the “latest version” problem instead of fixing it so we can update manually? It doesn’t seem like the customer should have to go through the extra work of manually updating when it’s supposed to update automatically.

    Brandon
    maio 1, 2012
    • I should have said, “instead of fixing it so we can update automatically.”

      Brandon
      maio 1, 2012
    • Hi Brandon,

      We are currently looking into the Automatic Update functionality.

      In order to not delay anyone in getting their WooFramework up to date, we provided the manual update steps.

      Our sincerest apologies for the inconvenience caused here.

      Matty Cohen
      maio 1, 2012
      • Wait. There’s an Automatic Update option for the WooFramework? I have the Gazette Edition and I don’t see any option to turn automatic updates on/off.

        I ask because if the WooFramework is updated for my site automatically it will break it as I have a modified framework file.

        Or are you talking about the option to update WooFramework by hitting the update button? If so you might want to call that ‘Express Update’ instead of ‘Automatic’ which implies it’s done without human intervention.

        Baron
        maio 1, 2012
        • Hi Baron,

          I was referring to the “Update Framework” link in the WordPress admin.

          My apologies for the confusion. I was referring to our express updater. 🙂

          Matty Cohen
          maio 1, 2012
        • Using the updater will overwrite your modifications though, just be sure to back those up when you upgrade.

          Ryan Ray
          maio 1, 2012
  70. Just manually updated the site. Thanks for heads up.

    Gnanes
    maio 1, 2012
  71. Hello Woo Guys,
    Still alive after all this hassel?

    I started replacing the functions folder in my Livewire theme, which works with Framework 2.1. The result was a blank page.
    After that I reinstalled the backup, which was allright.

    On my Livewire seems to operate an older version of Framework. So what do I do now?
    Regards,
    Daan

    Daan Diederiks
    maio 1, 2012
    • Hi Daan,

      It looks like you’re theme requires an update as well.

      Please let us know if we can assist with this. If so, please e-mail techsupport [at] woocommerce.com.

      Thanks Daan. 🙂

      Matty Cohen
      maio 1, 2012
  72. I have a few sites with woothemes, seems the framework updater is not working though, says it’s up to date but shows an old version number. Actually it’s the case with most of them.

    nomadone
    maio 1, 2012
    • Hi Nur,

      We’re aware of this issue and are currently looking into it.

      In the interim, please use the manual update process, outlined in the blog post above.

      Thanks. 🙂

      Matty Cohen
      maio 1, 2012
  73. I am a total tech dummy, but was still able to update manually. So there is hope for the other ftp challenged out there. Hang in there Woos!!!

    Karin
    maio 1, 2012
    • Really glad you’re up to date, Karin. Thanks for your support. 🙂

      Matty Cohen
      maio 1, 2012
  74. How do you update the framework automatically?

    Antonio Bortolotti
    maio 1, 2012
    • Hi Antonio,

      To clarify, I was referring to the “Update Framework” link in the WordPress admin in my comment to Baron.

      We are currently looking into the updater. In the interim, we’d recommend the manual update process outlined above.

      Thank you for your patience in this regard.

      Matty Cohen
      maio 1, 2012
  75. I too am unable to update the framework on Simplicity. At what point do you expect for the automatic update to be working. I am not comfortable trying anything manually, as I am really new to WordPress.org and woo themes and am REALLY fearful of screwing something up.

    Andrea
    maio 1, 2012
    • Hi Andrea,

      We’re working on getting the updater going again. No set ETA as yet, unfortunately.

      Our team of ninjas are on hand to assist with the updates as well. If you’re not 100% comfortable with a manual update, please e-mail us on techsupport [at] woocommerce.com and let our ninjas know. From there, they’re more than happy to assist with the update process. 🙂

      Matty Cohen
      maio 1, 2012
      • Thanks for the quick fix! Just updated it in seconds. Please pass on my thanks to the ninjas!

        Andrea
        maio 2, 2012
  76. No automatic update? Ah, no ETA on that. Just the more important update like ever, but you are going to make it a PITA for us to deal with. I think the fact on major security update that you guys can’t get the auto update should speak to the confidence one might have in your themes in the future. You had a security flaw recently, now another one shortly thereafter.

    How about something more useful to use other than “no set ETA”? How about something more reassuring like, a team is looking at this and should be a few hours. Or perhaps you can’t admit that your system is FUBAR when in fact it is needed the most.

    Sorry to rant, but this is pathetic. Sure replies on this thread is nice but how about something more useful? I question now whether auto update will even be possible. If your team working on this isn’t big enough, make it bigger. I say manual update this.

    gman
    maio 2, 2012
    • Hi gman,

      To clarify, our team have been working on the updater for several hours alongside our hosting provider. It is down due to our recent move to a new server. We have isolated the area in which the malfunction is occurring and are currently looking into the best possible resolution for this. We estimate several hours before the updater is active.

      For more information on our recovery process from our recent downtime, please see our blog post here: http://woocommerce.com/2012/05/recovery-update-tuesday-1-may/

      Our sincerest apologies for the inconvenience caused here.

      Matty Cohen
      maio 2, 2012
      • Appreciate a more detailed post about the automatic update situation. I might have been a bit harsh with my words.

        On a side note, perhaps Woo Themes needs a better protocol when it comes to security issues? It’s not like Windows OS that prompts you for security patches. I suppose the email was sufficient, but you should honestly border on spamming people about the need to update their blogs. Email to me is hardly a reliable method of notifying about serious security issues. Ask people for two email address for their sign ups. I don’t know. The more your company grows, the more stuff like this is going to bring you down and tarnish your reputation. I love what you guys do, but the previous security issue and this one seems a bit Mickey Mouse in the handling or protocols. Just my opinion, that’s all.

        gman
        maio 2, 2012
        • Hi gman

          We have now fixed that auto update functionality. I’ve worked hard with our hosting provider to get that issue resolved and we’ll be putting measures in place to ensure that the updater will work even if our website is down.

          wdh
          maio 2, 2012
          • Thanx for the fix and the update on the autoupdate infrastructure.
            Can you please make the main wooframework options independent now; I couldn’t load the theme options on Canvas & Over Easy at all during the downtime (framwork update aside).

            Silencer
            maio 2, 2012
  77. How do I use the short codes now? When i’m in the post/page edit I can see the short code list but when I click the short codes don’t insert. I think I may have disabled the short code js from loading a while back, that could be my problem what file can I check in?

    Max
    maio 2, 2012
    • Hi Max.

      Please e-mail us on techsupport [at] woocommerce.com or post in the forums where our ninjas can assist, if need be. 🙂

      Matty Cohen
      maio 2, 2012
  78. Just wanted to say W00t! The auto update within WordPress is now available. A huge thank you guys for getting that working again. Saves a bit ‘ol hassle for a lot of us. Manual updating is soooo not WordPress if you know what I mean.

    gman
    maio 2, 2012
    • We know what you mean, glad to have it working again!

      Ryan Ray
      maio 4, 2012
  79. updated! Thank you!

    Susanne
    maio 2, 2012
  80. Hi,
    I have a client using WooThemes and they have been hacked…likely from the WooTheme vunerability. I have seen the recommendation of replacing the functions folder with the “new” version, but that was for folks to do a safety upgrade, not with someone who’s site has been exploited.

    What is the mode of attack? Are theme files being overwritten or is the maliciousness confined to the functions folder files? Once attacked, do plugins or WP itself get infected?

    I have only browsed the comments here (there are so many!) and re the “Automatic Update” via WordPress… Is it being suggested that the WP Auto update can be used to clear a hacked WooThemes theme? Manual seems much safer.

    Thanks!
    Ken

    Ken Dawes
    maio 2, 2012
    • Hi Ken,

      We’re really sorry one of your websites has been compromised.

      We’d advise updating to the latest version of the WooFramework soonest and contacting the security professionals at http://sucuri.net/ to isolate and resolve the hack. They would be able to isolate which areas of your website have been affected.

      We’d also advise changing all passwords (WordPress, FTP, database, CPanel, etc).

      Our sincerest apologies for the inconvenience caused here.

      Thanks and regards,
      Matty.

      Matty Cohen
      maio 2, 2012
  81. I can’t confirm that our website has been compromised, but it is certainly acting up, and updating our theme and framework didn’t seem to fix it. I’d really like to know more about the recommended course of action in the case of a compromised website:
    – How can you tell if your website has been compromised? Where do you look?
    – How do you fix it? Will reverting to an earlier back up be enough?
    – We have several sites hosted on the same server, but the others are not using WooThemes. Could they still be affected?

    I think this might merit a blog post of its own.

    Erlend Sogge Heggen
    maio 3, 2012
    • Hi Erlend,

      Please see my comment above to Ken on the course of action if you feel your website may have been compromised.

      We’d recommend contacting the security professionals at Sucuri ( http://sucuri.net/ ) who can scan your server and isolate any potentially compromised areas of your server.

      Our sincerest apologies for the inconvenience caused here.

      Matty Cohen
      maio 3, 2012
  82. What does this vulnerability enable a malicious hacker to do?

    I have lots of sites. I’m deciding whether to update them. If it’s not a security risk that could actually have a negative impact on me I see no reason to.

    Louis
    maio 3, 2012
    • Hi Louis,

      This update is a critical update that we advise you update to right away.

      The exploit, as detailed above in the blog post, allows unauthorized users to display shortcodes. Through this, a hacker could compromise your website.

      Our updater is available via the “Update Framework” link in your WordPress admin, to make the update process quicker.

      Our sincerest apologies for the inconvenience caused here.

      Matty Cohen
      maio 3, 2012
  83. I don’t have to do this for Original Premium News, right? There is a /functions/ folder, but only 2 files, custom.php and easytube.php, and they’re not in the Woo Framework I downloaded.

    Unfortunately, the theme was hacked this morning. IFRAME injection in header.php. I’m not yet sure where the hole is.

    Sam Stevens
    maio 3, 2012
    • Hi Sam,

      If the “functions” folder inside your theme doesn’t resemble that of the WooFramework, this fix wouldn’t apply to your theme, no.

      Regarding the error you’ve noted, I’d advise contacting the security professionals at Sucuri ( http://sucuri.net/ ). They would be able to advise on and resolve this hack.

      The current (latest) version of the Original Premium News theme does run on the WooFramework. Once the hack on your website has been resolved, you could upgrade to that, if you wish to do so.

      Our sincerest apologies for the inconvenience caused here.

      Matty Cohen
      maio 3, 2012
  84. Hi, WooThemes….. I just checked Wootique theme changelog…
    Hmmm… have you update that theme (regarding this exploit issues) lately ??

    🙂

    ==========================================================

    “………

    *** Wootique Changelog ***

    2012.04.17 – version 1.3.1
    * template-sale.php preparation for WooCommerce 1.5.4

    2012.03.29 – version 1.3
    * header.php
    includes/theme-woocommerce.php – html5 shim now hooked into wp_head
    * header.php
    includes/theme-woocommerce.php – added woo_nav_before() action and hooked search into it
    * header.php
    includes/theme-woocommerce.php- added woo_nav_after() action and hooked cart / checkout buttons into it
    * header.php – added woo_content_before() hook
    * footer.php – added woo_content_after() hook ”

    …………”

    Alvin
    maio 4, 2012
    • Hi Alvin,

      The update was made to the WooFramework, which carries it’s own changlog file ( “functions/functions-changelog.txt”).

      Clicking “Update Framework” in your WordPress admin and following the quick update process there would get your copy of the WooFramework up to date.

      Thanks! 🙂

      Matty Cohen
      maio 4, 2012
      • oh i see..
        i got it..
        thanks, Matty Cohen

        🙂

        Alvin
        maio 4, 2012
  85. Hi,
    I have updated my woothemes framework for canvas. I also am using woocommerce and canvas commerce. Do I need to do anything with these?
    Thanks

    Steve Massey
    maio 4, 2012
    • Hi Steve,

      WooCommerce doesn’t contain the WooFramework and your child theme piggybacks off of Canvas’ WooFramework, so you should be all good to go after updating Canvas’ WooFramework. 🙂

      Matty Cohen
      maio 4, 2012
  86. Hi guys

    I updated the Wooframework manually, everything goes fine but then I get the message “Old version of TimThumb detected in your theme folder. Click here to update.”

    When I click “update TimThumb”, I get error “Warning: fopen(/var/www/vhosts/mysite/httpdocs/blog/wp-content/themes/canvas/thumb.php) [function.fopen]: failed to open stream: Permission denied in /var/www/vhosts/mysite/httpdocs/blog/wp-content/themes/canvas/functions/admin-functions.php on line 3368

    Can you please help me out?

    Regards

    Christof

    Christof
    maio 4, 2012
    • Christof,

      Post in the forums for technical support. We’ll be able to help out much more thoroughly there than comments here. – http://woocommerce.com/support-forum/

      Ryan Ray
      maio 4, 2012
  87. Hello Guys,

    What happened to you all?? No one responding in the forum? Themes are not working properly, neither plugins.

    I’m using canvas theme for my new project and the comment system is not working in the theme, I’ve upgraded to the latest framework. WooDojo Plugin is also not working, I started a thread in the forum and it has been 2 days, no one solved my problem.

    I want you to assist me as quickly as possible. Here’s the thread: http://woocommerce.com/support-forum/?viewtopic=75705

    Bharath Gurram
    maio 7, 2012
    • Sorry for the late response time in the forum. During weekends it may not be answered as quickly as usual, but I’ll make sure it is answered today.

      Magnus
      maio 7, 2012
  88. Awesome, now the Google fonts I used are no longer supported.

    Stephen Perkins
    maio 7, 2012
  89. I finally managed to update the framework, for some reason the automatic update took quite a few attempts and when I was about to give up it worked.

    I want to thank you for sending a warning email to the Woothemes mailing list because WordPress does not tell you when WooThemes framework has to be updated, you need to go the necessary tab to see the warning which I hardly do.

    Mary Williams
    maio 7, 2012
  90. Hi,

    You guys rock! So major things happened and you dealt with it. You made it painless… all I had to do was go into my theme and click a button and all the files updated automatically. That is way above the normal FTP aggravation that most fixes would entail.

    WooCommerce rocks too!

    Michael
    maio 10, 2012
  91. I am still getting an error on the Theme Options panel for Canvas. I manually did the update to the functions file.

    Here is the error I am receiving:

    Fatal error: Out of memory (allocated 29360128) (tried to allocate 262142 bytes) in /homepages/14/d364782900/htdocs/Pretty Things Lingerie/wp-content/themes/canvas/functions/admin-interface.php on line 1231

    Bill
    maio 12, 2012
  92. Are your free themes safe? I wanted to test-drive some themes, but was looking at the changelogs and it’s been literally years since the free themes have been updated, and no mention in the changelog of any security fixes.

    Steven
    maio 16, 2012
    • Hi,

      Yes they are updated as well. The WooFramework has it’s own changelog in functions/functions-changelog.txt

      Magnus
      maio 16, 2012
  93. I’m trying to update manually but I’m getting this error “Fatal error: Cannot redeclare woothemes_more_themes_page() (previously declared in C:\xampp\htdocs\wordpress\wp-content\themes\hotnaija\functions\admin-functions.php:2477) in C:\xampp\htdocs\wordpress\wp-content\themes\hotnaija\functions\admin-theme-page.php on line 65” what do I do?

    Joseph
    maio 24, 2012
  94. I got this ”
    Warning: require_once(C:\xampp\htdocs\wordpress/wp-content/themes/hotnaija/functions/admin-theme-page.php) [function.require-once]: failed to open stream: No such file or directory in C:\xampp\htdocs\wordpress\wp-content\themes\hotnaija\functions.php on line 18″ before I added “admin-theme-page.php” from my old theme and later got this error “Fatal error: Cannot redeclare woothemes_more_themes_page() (previously declared in C:\xampp\htdocs\wordpress\wp-content\themes\hotnaija\functions\admin-functions.php:2477) in C:\xampp\htdocs\wordpress\wp-content\themes\hotnaija\functions\admin-theme-page.php on line 65” How do I fix it?

    Joseph
    maio 24, 2012
  95. I have INSPIRE 1.1.2 installed on a site and there is no framework option. My account login has been suspended although i was a paying customer for 2 years and it appears my subscription just ended june 1st. How can I update this theme?

    David P
    junho 20, 2012
    • *no update framework option.

      David P
      junho 20, 2012
    • If you post in our support forum we will assist you with the upgrade, although your version doesn’t have shortcodes so does not have the security hole.

      Magnus
      junho 20, 2012
  96. Hello, on another site I just updated sealight to the latest version of the framework, only to see this message:

    Old version of TimThumb detected in your theme folder. Click here to update.

    When I click there, I see this:

    Warning: fopen(/home/logic/public_html/wp-content/themes/sealight/thumb.php) [function.fopen]: failed to open stream: Permission denied in /home/logic/public_html/wp-content/themes/sealight/functions/admin-functions.php on line 3369

    David P
    junho 20, 2012
    • Delete the old thumb.php manually from ‘wp-content/themes/sealight/thumb.php’

      Please use our support forum if you need more assistance.

      Magnus
      junho 20, 2012
  97. Who can help me please? If click unorderer list with tick in my post doesn’t appear the tick..

    Turismo in
    junho 26, 2012

Trackbacks/Pingbacks

  1. New WooThemes Vulnerability Patched – Update Framework Now! | IT Security

Stay up to date with WooCommerce emails

View our privacy policy. You can unsubscribe anytime.

Subscribing...

There was an error subscribing; please try again later.

Thanks for subscribing!
Emails will be sent to

You're already subscribed!
Emails are sent to

Use of your personal data
We and our partners process your personal data (such as browsing data, IP Addresses, cookie information, and other unique identifiers) based on your consent and/or our legitimate interest to optimize our website, marketing activities, and your user experience.