Automatically update

Hello.
I have all plugins with automatically update option enabled.
But how to automatically update Woodmart theme + Woodmart core + every plugin with theme?

Hello,

You need to make the full backup of the site, update the theme in Appearance > Themes, then update all the plugins in Appearance > Install plugins. They never updated automatically.

If you have any questions please feel free to contact us.

Best Regards

[ktworker]

Hello.
It is highly important to do automatically update.
Our website has hacked TWICE this year because of vulnerability of Woodmart

• This reply was modified 1 year, 9 months ago by ktworker.

[ktworker]

Today we received message about MalCare that our website was hacked and we need to update WoodMart.
So it is very important to do it automatically

• This reply was modified 1 year, 9 months ago by ktworker.
• This reply was modified 1 year, 9 months ago by ktworker.

Malcare sent me
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-php-object-injection
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-privilege-escalation

I’m afraid that hacker downloaded all orders and clients details (emails,phone,addresses,names,etc)…

But I did not receive notifications about this issue from WoodMart and cannot update it automatically.

It is not first vulnerable and I think it is not good practice to update theme manually,
I prefer to broke website after autoupdate than someone could hack and download clients details.

Hello,

These vulnerabilities don’t allow hackers to download your clients’ details so you don’t need to worry about that.

Unfortunately, WordPress doesn’t provide a mechanism to install updates automatically for plugins and themes.

Kind Regards

[ktworker]

Hello.
Please check
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-php-object-injection
https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-privilege-escalation

—> “After this they could take full control of the website”

Full control = Full control.
They could download clients database if Woodmart is not updated.

_____

> Unfortunately, WordPress doesn’t provide a mechanism to install updates automatically for plugins and themes.

Wordpress allow to autoupdate core and plugins. WP developers made this options after situation when a lot of websites were hacked because of vulnerability in popular plugin.
Also, WP is as LEGO, you as developer, could make autoupdate for your theme, plugins ans other assets.

Why you do not want to do it?
I prefer broken website than someone could download my clients database and access admin.
Please make it optionally.

OR
send us email if something same was found.
Because it is not okay that my website was hacked and my clients database was downloaded.

I have a license and you know my email but I see NO notifications about Woodmart vulnerability and no one asked me to update it.

I just received email from MalCare AFTER my website was hacked!

• This reply was modified 1 year, 9 months ago by ktworker.
• This reply was modified 1 year, 9 months ago by ktworker.
• This reply was modified 1 year, 9 months ago by ktworker.

Hello,

You can try to reproduce this on your website and you will see that you will not be able to get full control over your website.

ThemeForest sends email notifications once the new version is released. We mentioned in our changelog that this update is important to fix the vulnerability.

Kind Regards

[ktworker]

> You can try to reproduce this on your website and you will see that you will not be able to get full control over your website

I have no tech details about it to reproduce. I am not a developer.
I trust for patchstack.com and their CRITICAL status of this issue.

I checked and found fake admin accounts in my WP (I did not create it).

I had to restore WP from backup to solve it.

> ThemeForest sends email notifications once the new version is released

It is not a solution in this situation. ThemeForest notifications sent with delay sometimes.

> We mentioned in our changelog that this update is important to fix the vulnerability.

Do you really think that customers should read changelog every day?))))

____
Please make an autoupdate as option for clients to avoid this issues in future. Please send it to developers!

• This reply was modified 1 year, 9 months ago by ktworker.

Hello,

Sure, we will review this and consider adding such option in our future updates.

Kind Regards

Dear,

My website tracking software also reported: vulnerable to PHP Object Injection.

https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-php-object-injection?_a_id=350

Is this fixed?

Kr,
Vincent

Hello,

This bug has been already fixed in our theme. Make sure that you are running the latest version of the theme. Also, the WoodMart core plugin needs to be updated to the latest version 1.0.39 too. You can do this in WoodMart -> Plugins.

Kind Regards

[Author]

Posts