Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Potentially relevant: it seems like the WooThemes site was compromised recently.

http://www.woothemes.com/2012/04/were-alive-and-kicking/



Not related at all and the WooFramework has been updated days before all this: http://cl.ly/3S2o1z380L3i1D44443A

For the people not yet on the latest WooFramework version: You can download the latest version of WooFramework here: http://cl.ly/2a3j1m351C3u2i0t122j (it is 5.3.10)

Do you know how to manually update the framework? This zip file unzips to a "framework" folder, you need to replace to contents of the "functions" folder of your theme. Obviously make a backup of everything before you start.

This exploit is fixed in the latest two stable builds and should have been reported to us (WooThemes team) in the first place. Wonder if this guy has ever heard of the concept of responsible disclosure...


Both links are shortened and resolve to a generic api.cld.me domain. You'd expect a fix to be hosted on the woothemes controlled domain, not a largely anonymous domain name. You'd also expect that there'd be at least a homepage mention on woothemes.com to this same URL.

Seriously, if you are a representative of woothemes.com, this approach is a major fail. you have a known website, that's where your authority and trust resides. Use it.

This just looks like someone attempting to get people to add a new backdoor to their existing wootheme powered site.


No, the update pops up within your WordPress admin panel in case you are using one of our themes. Secondary download - with the link I provided - is available because our site was hacked last week: http://www.woothemes.com/2012/04/were-alive-and-kicking/ We only use that download link temporarily to be able to provide the update to our users.


The secondary download link smells fishy. Don't do this. Host the file on a domain that clearly belongs to and is fully managed by only WooThemes.


You can download the latest version of WooFramework here: http://cl.ly/2a3j1m351C3u2i0t122j (it is 5.3.10)

Are you seriously suggesting downloading the fix for vulnerability from some random website?


No, the update pops up within your WordPress admin panel in case you are using one of the WooThemes themes. That download is behind a login, this zip is publicly available for all people that didn't believe it was already fixed.


I use a Woo theme and was hacked last week, even though my host told me it was he timthumb vulnerability.

I never receive notice to upgrade the theme in the dashboard (and the option is activated).

what do i do now ?


What version number is listed as the current version when you click "Update Framework" in your theme? Most likely you're being impacted by the same issue that I've posted about.


thanks for your reply. that's what it says: Typebased 2.3.1 Framework 2.7.22


Yikes, that is really out of date - the latest framework is 5.3.12. However it's not available right now because their site is down - once it comes back up, be sure to use "update framework" button in WP admin area!


When did you plan on responsibly disclosing the vulnerability to your customers?


Just replied to your comment on GitHub. I appreciated the official response.

Like I mentioned on GitHub, your updater is broken, so your customers aren't getting this update even if you guys did release it. See my comment for details, but it appears that the file which triggers the Update Framework feature to work has been rolled back to an old version.

Regarding your comment on 'responsible disclosure', where did you responsibly disclose this exploit to your customers and notify them that a critical update was needed to prevent, in your words "a way to cripple many (many, many, many) websites."?


I want to hear the "Injustice – WooThemes Comeback" song. Ch'yeah.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: