WooFramework shortcode exploit

Description

WooFramework is a framework used by all WordPress themes produced by WooThemes. The shortcode preview functionality that was in the WooFramework's bundled shortcode generator (the neat popup used to add shortcodes to posts and pages with a point-and-click interface) was identified as a potential security exploit. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.

Version 5.3.12 of the WooFramework was recently released to ensure that the file in question is overwritten correctly by the WooFramework one-click update system. This update was flagged as "critical" and is an essential update.

ShareShare on FacebookTweet about this on TwitterShare on Google+

Impact
Possible remote PHP code execution if php shortcode is available.

Recommendation
Update to version 5.3.12 of the WooFramework.

References
WooThemes WooFramework exploit: Execute any shortcode as an unauthenticated visitor
Framework shortcode exploit has been fixed