SECURITY RESEARCH |

Woothemes Framework Update Analysis

In this post, I examine the fact that only 31% of Wootheme based sites in the top 1 million are running the latest version of the Wootheme Framework. WordPress themes are an important part of the security checklist when maintaining your WordPress installation.

An essential security maintenance function of any WordPress install is performing regular updates. Many people do update the WordPress Core and Plugins; also, it is just as important to update to the latest version of all installed WordPress Themes. Any themes you are not using should be removed.

Examples

29th April 2012 - an exploit was released for the Woothemes Framework. This exploit allows possible code execution through the short code preview function. Version 5.3.10 resolved the issue, but additional fixes were applied to make 5.3.12 the recommended version to stay secure.

August 2011 - an exploit was released for an image function called "timthumb"> This exploit affected many WordPress themes as it was a popular function included with many frameworks, and standalone themes (this not only applied to woothemes).

There have been two critical security vulnerabilities in the past year that affected Woothemes framework based sites. As we see in the charts below, even those websites with significant levels of web traffic appear to have little knowledge or no regard for security updates to WordPress themes.

Research

As we use Woothemes here at HackerTarget.com, we researched a bit further into the woothemes frameworks in the top 1 million websites. The following statistics show the breakdown of the Woothemes Framework versions in use.

WooFramework Versions Compared

This chart shows the detected WooFramework versions of WordPress installs in the top 1 million websites. A total of 2476 Woo Powered sites were detected; note that this only includes sites that have the metagenerator tag enabled.

The next chart shows a simple breakdown of the sites, with the latest version; compared to sites with older versions of the Woothemes Framework. It would not be an unreasonable assumption to predict that many of the 1699 websites with an older version are indeed vulnerable to known security exploits.

Data was collected in mid May; only 31% of Woothemes sites were running the latest version of the framework.

Disabling the Metagenerator Tag

These statistics have been determined by searching for the Metagenerator Tag in the html source. It is easy to remove this information from your Woothemes installation as shown in the following image.

Disabling the metagenerator tag is a good way to remove what security people like to call information disclosure. This is information leakage that allows an attacker to more easily find ways to break into a system. You will, of course, still need to keep all your WordPress bits and pieces up to date; to avoid becoming a victim.

Want to do your own analysis?
Download the full wootheme count in .csv format.

Test WordPress, Servers and Network with Security Vulnerability Scanners

Trusted tools. Hosted for easy access.

DIY Analysis with Passive Tools. Clients, Competitors or Future Clients.

Simplified Reconnaissance.