WooThemes released a security patch today for their theme framework. The vulnerability is related to a preview function and allows visitors to run and to see the output of any shortcodes used by your theme. Unfortunately, the vulnerability is now widely known (having been published on the Internet before the theme developers were notified), which means every site using WooThemes is at risk.
Further compounding the issue is the fact that WooThemes suffered a massive server hack which, while it does not pose any direct threat to users of their themes, did cause the automatic upgrade function within the WordPress dashboard to stop working. That means you can’t rely on a dashboard notification to let you know when it’s time to upgrade. Instead, you’ll need to check your version number. Anything before version 5.3.12 is at risk and should be updated immediately.
If you don’t have the upgrade button on your dashboard, you’ll need to update your theme manually. You can find the instructions here.
Make sure you upgrade all your themes – even the ones you’re not using – because this vulnerability can be exploited even in an inactive theme. Actually, now might be a really good time to just get rid of those themes you’re not using. The only themes you need on a WordPress site are your current theme, any required parent theme, and at least one of the two that come installed with WordPress (Twenty-ten and Twenty-eleven). Everything else is an unnecessary security risk.
Perhaps the most concerning thing about this whole incident is that this vulnerability was discovered on April 23, and users were not notified until today. Seven days is a long time to let your customers' sites remain open to attack. Shame on WooThemes for not being more proactive.
More information about the exploit can be found at WooThemes.com.
What about you? Do you use WooThemes? Have you upgraded yet? Let us know how the upgrade process went for you.
I just updated my framework. Thanks for the tip! WOO still rules!