Remote exploit found in all WooThemes

[HorizonXP]

+1, could you post your patch? My budding startup idea's blog is powered by a WooTheme, and I have a conference this week, so I'd rather deal with this sooner than later.

[chrisguitarguy]

I'm not sure how WooThemes uses this file, but you can require a user to be logged in to access it fairly easily. This might break some part of WooTheme's functionality.

Edit `your-theme/functions/js/shortcode-generator/preview-shortcode-external.php`

Somewhere below the `require_once( $url . '/wp-load.php' );` line:

   if(!is_user_logged_in())
   {
       wp_die(__('Nope'), __('Nope'), array('response' => 403));
   }

If you happened to move your wp-content directory[1] this exploit is not going to work on you. The `require_once` statement above relies on wp-content existing so it can find `wp-load.php`

1. http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-c...