Yesterday a vulnerability on the WooThemes Framework was disclosed by Jason Gill on githumb:gist. The vulnerability allows a visitor to see and run the output of any shortcode configured on the WordPress site.
At this time this does not appear to be linked to the DDoS they experienced this week.
We are currently assessing the severity of this vulnerability in our labs. If in fact we find that something severely adverse can be performed with it, the next big concern will be that it can be exploited even if the theme is not active.
Quick tip: If your themes or plugins aren’t in use, get rid of them!
The WooThemes team responded to the post showing that the bug had been found and fixed on 04/23/2012. The challenge with this appears to be that patching the bug also appeared to negatively impact the updater so some might not have been notified of the issue.
The WooThemes team responded this morning informing everyone of the vulnerability and its patch. Matty Cohen is quoted saying:
The shortcode preview functionality that was in the WooFramework’s bundled shortcode generator (the neat popup used to add shortcodes to posts and pages with a point-and-click interface) was identified as a potential security exploit several days ago. After the first report was made, we began work on isolating and resolving this exploit. This resulted in the removal of this functionality from the WooFramework (the shortcode generator is still there… just the preview functionality was removed).
The potential exploit is such that the shortcode preview allowed users to generate shortcodes using the preview window’s file, without authenticating the user.
The Area of Concern
The bigger issue appears to be the following:
- The disclosure of this vulnerability, and what appears to be little regard to “responsible disclosure”.
- The lack of disclosure from the company if in fact it was patched April 23rd.
- Getting the word out to all the end-users using the theme or that have it on their servers sitting idle.
This is easily a chicken before the egg scenario. If in fact the vulnerability was found and patched on April 23rd then a public disclosure was and is warranted, especially when we’re talking about the number of end-users using the WooThemes framework. That being said, Jason Gill also had the social responsibility to disclose responsibly to the company. This could easily be perceived as something a grey-hat would do.
The Real Problem
The real problem right now is that the information is in the wild. Again, it comes down the simplest of security practices, update your software immediately.
Version 5.3.11 of the WooFramework is working fully with the automatic “Update Framework” link as well. This was just a matter of a slightly older version being online after our website restoration, which was why the automated updater wasn’t being triggered. We’ve now remedied this with version 5.3.11. – WooThemes
Our focus now has to be getting ahead of the attack and reducing the attack landscape.
Please, be sure to review your server and update or remove any old themes not being used.
Thought of the day: Let’s all use this opportunity to grow from it as a community and learn to better engage with each other.
If you have any further questions please contact us at firstname.lastname@example.org