Description
WooFramework is a framework used by all WordPress themes produced by WooThemes.
The shortcode preview functionality that was in the WooFramework's bundled shortcode generator (the neat popup used to add shortcodes to posts and pages with a point-and-click interface) was identified as a potential security exploit. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.
Version 5.3.12 of the WooFramework was recently released to ensure that the file in question is overwritten correctly by the WooFramework one-click update system. This update was flagged as "critical" and is an essential update.
Remediation
Update to version 5.3.12 of the WooFramework.
References
Related Vulnerabilities
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-0217)
Chamilo Improper Input Validation Vulnerability (CVE-2021-31933)
MySQL CVE-2012-0102 Vulnerability (CVE-2012-0102)
Plone CMS Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2012-5488)