Update: WooThemes has now bumped their version number and fixed the update bug so please click "Update Framework" inside of the WordPress Admin to grab and install the latest version which patches this bug. - April 29, 10:40am EST
Update: WooThemes says that this is fixed in their latest patch, released just prior to their sever hack event this week. However, it appears that their server hack also broke the "Update Framework" function in their themes, so the patch isn't reliably available to existing customers. Additionally, their demo server remains unpatched. See my comments below for more details. - April 29, 10am EST
The latest version (and most likely many previous versions) of the WooThemes WooFramework has a bug that allows any website visitor to run and see the output of any shortcode. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.
Here is an example right on the WooThemes demo server that allowed me to show a twitter "follow me" button on their site:
More extreme and malicious uses are left up to the reader; it would be trivial to identify common insecure shortcodes and then attempt them against common WooThemes to attempt to run malicious code on the remote server.
The cause of this is the following code in functions/js/shortcode-generator/preview-shortcode-external.php:
$shortcode = isset($_REQUEST['shortcode']) ? $_REQUEST['shortcode'] : ''; // WordPress automatically adds slashes to quotes // http://stackoverflow.com/questions/3812128/although-magic-quotes-are-turned-off-still-escaped-strings $shortcode = strip_tags( stripslashes($shortcode) ); echo do_shortcode($shortcode);