Automatically update

Hello.
It is highly important to do automatically update.
Our website has hacked TWICE this year because of vulnerability of Woodmart

• This reply was modified 1 year, 9 months ago by ktworker.

Malcare sent me
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-php-object-injection
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-privilege-escalation

I’m afraid that hacker downloaded all orders and clients details (emails,phone,addresses,names,etc)…

But I did not receive notifications about this issue from WoodMart and cannot update it automatically.

It is not first vulnerable and I think it is not good practice to update theme manually,
I prefer to broke website after autoupdate than someone could hack and download clients details.

Hello.
Please check
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-php-object-injection
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-privilege-escalation

—> “After this they could take full control of the website”

Full control = Full control.
They could download clients database if Woodmart is not updated.

_____

> Unfortunately, WordPress doesn’t provide a mechanism to install updates automatically for plugins and themes.

Wordpress allow to autoupdate core and plugins. WP developers made this options after situation when a lot of websites were hacked because of vulnerability in popular plugin.
Also, WP is as LEGO, you as developer, could make autoupdate for your theme, plugins ans other assets.

Why you do not want to do it?
I prefer broken website than someone could download my clients database and access admin.
Please make it optionally.

OR
send us email if something same was found.
Because it is not okay that my website was hacked and my clients database was downloaded.

I have a license and you know my email but I see NO notifications about Woodmart vulnerability and no one asked me to update it.

I just received email from MalCare AFTER my website was hacked!

• This reply was modified 1 year, 9 months ago by ktworker.
• This reply was modified 1 year, 9 months ago by ktworker.
• This reply was modified 1 year, 9 months ago by ktworker.

> You can try to reproduce this on your website and you will see that you will not be able to get full control over your website

I have no tech details about it to reproduce. I am not a developer.
I trust for patchstack.com and their CRITICAL status of this issue.

I checked and found fake admin accounts in my WP (I did not create it).

I had to restore WP from backup to solve it.

> ThemeForest sends email notifications once the new version is released

It is not a solution in this situation. ThemeForest notifications sent with delay sometimes.

> We mentioned in our changelog that this update is important to fix the vulnerability.

Do you really think that customers should read changelog every day?))))

____
Please make an autoupdate as option for clients to avoid this issues in future. Please send it to developers!

• This reply was modified 1 year, 9 months ago by ktworker.