0

Framework shortcode exploit has been fixed

-

There are a few tweets going around about an exploit in our WooFramework. It happens to be making news around the same time we were hacked so naturally it could cause some hysteria about a possible link between the two and a vulnerability on our user’s sites. Rest assured there is no link and the [...]

There are a few tweets going around about an exploit in our WooFramework. It happens to be making news around the same time we were hacked so naturally it could cause some hysteria about a possible link between the two and a vulnerability on our user’s sites. Rest assured there is no link and the exploit was actually fixed a few days before our website was hacked. 

We have however issued another update to the WooThemes framework (V5.3.11 V5.3.12) to tighten the security of our themes even further. We recommend all users update their themes to the latest version, it’s really easy. Click the “Update Framework” button in our theme framework in the WP backend to grab and install the latest version.

This from WooThemes developer Matty Cohen:

The shortcode preview functionality that was in the WooFramework’s bundled shortcode generator (the neat popup used to add shortcodes to posts and pages with a point-and-click interface) was identified as a potential security exploit several days ago. After the first report was made, we began work on isolating and resolving this exploit. This resulted in the removal of this functionality from the WooFramework (the shortcode generator is still there… just the preview functionality was removed).

The potential exploit is such that the shortcode preview allowed users to generate shortcodes using the preview window’s file, without authenticating the user.

We would have preferred the user who published the details of the exploit to have disclosed it to us securely and privately first, before sharing it on social readers where it received some unjustified, harsh critique, but for the sake of transparency we are publicly acknowledging and responding to the information at the risk of causing some nervy users.

Feel free to post any further questions below where Matty and our other developers will happily calm your nerves. What we have actioned as a result of this story is a new Twitter account that users can follow called “WooThemesDev” which will communicate theme updates and codebase details to interested users.

Follow ‘WooThemesDev’ on Twitter

Update: Version 5.3.12 of the WooFramework was recently released to ensure that the file in question is overwritten correctly by the WooFramework one-click update system. This update was flagged as “critical” and is an essential update.

Update: If you’re experiencing an issue automatically updating to V5.3.12, or the update doesn’t show for you on the “Update Framework” screen of your WordPress admin, please see our tutorial on how to perform a manual WooFramework upgrade.

If this tutorial link isn’t visible to you after being logged in to your WooThemes account, give us a shout in the Support Forum and we’ll assist in getting you upgraded.

Please ensure that all themes on your website that use the WooFramework are updated to the latest version (not just the theme you have active).

Update :  Any issues that you were experiencing with our built in auto updater have now been resolved.

Manually Upgrading the WooFramework

To manually upgrade the WooFramework, the steps are:

  1. Download the WooFramework ZIP file.
  2. Backup your entire theme onto your computer, using an FTP program (your web hosting provider should provide FTP information). This is a precaution in case you need to revert to the previous version you were running.
  3. Unzip the WooFramework ZIP file downloaded in step 1.
  4. Remove all files from the “functions” folder inside your theme via FTP.
  5. Replace the content of the “functions” folder inside your theme with the contents of the ZIP file unzipped above.
  6. Repeat this for all WooThemes using the WooFramework that are on your server, not just the active theme.

0

Theme upgrades, WooFramework updates, version numbers and what they all mean

-

Here at Woo, we have a few components that make up each theme we release. The two main components are the theme’s design and code and the WooFramework. Our themes and the WooFramework alike, are updated regularly with improvements and bugfixes to enhance our products and keep them up to date with current trends and [...]

Here at Woo, we have a few components that make up each theme we release. The two main components are the theme’s design and code and the WooFramework. Our themes and the WooFramework alike, are updated regularly with improvements and bugfixes to enhance our products and keep them up to date with current trends and developments, as well as code improvements and refinements. Each theme, as well as the WooFramework itself, carries a version number, which is increased with each update or bugfix.

As the WooFramework is so seamlessly integrated into all of our themes, it can be confusing at first as to which pieces are what, which files to upload when upgrading your theme and how the WooFramework fits into the bigger picture. While we have support documentation that explains theme upgrades, the rest of the pieces may require a bit more explanation. Today, I’ll be explaining what the version numbers mean, how to keep your theme up to date and what role the WooFramework plays in our themes.

The WooFramework

The WooFramework (found in the “functions” folder in all our themes) is the engine that powers our 100+ themes (and growing). Functionality such as the woo_breadcrumbs(), woo_pagination() and our theme options are all run through the WooFramework. Periodically (quite often, in fact), we update the WooFramework with enhancements and code improvements, as well as fixes for the occasional bug that presents itself. These updates are rolled out via an automated update system built into the WooFramework (The “Update Framework” link in the WordPress admin). Also included in the WooFramework are the Sidebar Manager and an easy to use backup facility to create downloadable backup files of your theme options.

The WooFramework files in the Functions folder within your theme.

If a new feature is developed and isn’t specific to a single theme, it would be included in the WooFramework for use by everyone.

Theme Components

Each theme is made up of the core WordPress template files (found in the main folder of the theme) as well as several theme-specific functions and components, found in the “includes” folder. These files, while pretty consistent, can change from theme to theme and, therefore, are not included in the WooFramework. Theme options are specified in the “includes” folder, as well as theme setup-related functionality and specific enhancements (custom typography and styling generation, for example).

The theme option's panel are dictated by the code in the Includes folder of your theme.

Version Numbers… what do they mean?

Our versioning system consists of three parts; rewrites/major upgrades, new feature updates and bugfixes. For example, V1.0.0 is a new theme with no features added after release and no bugfixes, where as V2.4.3 is theme that has had 1 rewrite/major upgrade, 4 new features and 3 bugfixes after the 4th new feature.

Knowing this versioning system is important when upgrading and maintaining a website using one of our themes. If you’re running, for example, V2.4.0 and V2.4.1 is released, you can instantly know that this is a bugfix, is usually minor and may not affect you.

That being said, it is important to keep your theme up to date. For this reason, each of our themes includes a “changelog.txt” file, denoting each update made to the theme, which file it was made in and what the update was. Reading the changelog for the version you’re looking to upgrade to, along with understanding our version numbering system above, can go a long way to improving your upgrade experience and understanding how best to manage your theme maintenance. Speaking of theme maintenance, using a child theme is always a good idea.

When it comes to the WooFramework, this is where the majority of major updates are released. For this reason, the WooFramework provides a neat update notifier that adds a message on your theme options admin screen when a new version is available. We’d recommend activating this if you would like to be notified of the latest updates.

I hope this helps to provide a clearer understanding of our versioning system, when and how to upgrade and what it all means, as well as enhancing your overall WooThemes experience.