Viewing 16 posts - 1 through 16 (of 16 total)
  • Author
  • #11946

    Hi Guys,

    I have Vaultpress on one of my sites and today it’s started giving a warning about the file:

    ‘preview-shortcode-external.php’ in themes: /shoutbox/framework/php/avia_shortcodes/

    I think this is related to the recent woothemes exploit – any idea if this affects ‘ShoutBox’ or other Kriesi themes? Vaultpress is recommending I delete – preview-shortcode-external.php is it safe to do that? will it cause any problems with short codes?

    Here is some more about the exploit (Purchase code hidden if logged out) -framework-now.html


    I think Vaultpress is flagging this up as the file names of both the woothemes ‘preview-shortcode-external.php’ and ShoutBox ‘preview-shortcode-external.php’ files are the same? the code looks very different.


    Hi eddygame,

    I’m not sure about that. I’ll talk to Kriesi as I’m sure hes been busy checking into this since he makes such intimate use of WooCommerce.

    In the meantime, You can always make a quick backup of the theme then delete the file and test for any functionality concerns. Off hand, you will definitely not be able to use the pop up shortcode generator but you could still use the shortcodes in the actual pages.




    Cheers Devin, good advice and probably worth doing as a precaution until the issue is resolved.

    Hopefully get a full answer from Kriesi pretty soon.


    It doesn’t look like it will be a big issue and to be honest I don’t *think* it will effect the themes at all. Definitely keep WooCommerce up to date in the coming weeks just in case.


    I dunno about this – I’m nervous because it has to do with the Shortcode Exploit that was found 4/23. I’d LOVE to see this addressed ASAP, because the patch is a *theme* patch. I know the code is different in these themes, it would still be nice to have eyes on it and some reassurance. Thank you!!

    (Purchase code hidden if logged out) -fixed/”> (Purchase code hidden if logged out) -fixed/


    Must admit, it makes me a little nervous too – from what I can tell of the woothemes issue, it’s very easy to add shortcode to a site with the hack.

    would like to see a ‘this is absolutely not an issue for our themes’ kinda response.


    Hey Guys! I am currently in contact with woothemes to get some more knowledge on the issue, and I let you know as soons as I know more. In the meantime If you are afraid of the exploit open your themefolder with an ftp tool and remove the

    “framework/php/avia_shortcodes/preview-shortcode-external.php” file

    the file is not necessary for the theme to work, the only functionality lost will be the shortcode previews when you create a new one.

    I’ll keep you posted!




    Thanks for the update Kriesi – please keep us posted on developments.



    Will do :)

    Since the downtime of woothemes those guys are really busy it seems, so it might be a few more hours until I get an answer from the framework developer :)

    Best regards,



    Yeah! I wouldn’t want to be in the woothemes office this week!


    Ok guys!

    I have released a patch for all framework themes. I am still not sure if the issue WooThemes is having is directly related to this file but I figured it wouldnt be bad adding some additional security. the files now stops executing is the user is not logged in and doesnt have the capability to edit code.

    That should fix any holes in the preview system ;)

    As always you can download the latest version of the themes on themeforest


    Thats great news Kriesi – thanks for update… can you confirm if it’s just the file ‘preview-shortcode-external.php’ that needs replacing or the whole framework folder?


    and one more question… can we pick up the updated themes from themeforest?



    You can already get the update at themeforest, yes.

    Updating this preview-shortcode-external.php and the dialog.php file within the shortcode folder is sufficient :)




    You’re a star Dude – thanks

Viewing 16 posts - 1 through 16 (of 16 total)

The topic ‘Security Waring’ is closed to new replies.