Critical Security Vulnerability Found in WordPress Slider Revolution Plugin, Immediate Update Advised

The security team at Sucuri publicized a critical vulnerability found in the WordPress Slider Revolution plugin recently. The bug has since been patched, but the development team for Slider Revolution kept silent about it and did not notify their users of the importance of updating.

The popular commercial slider plugin is hosted on Codecanyon, an offshoot of EnvatoMarket. The slider is bundled in theme packages, such as Avada, Themeforest’s top-selling theme. It’s also packaged with other popular themes such as X Theme, uDesign, and Jupiter, in addition to being used independently on thousands of websites.

Details of the Vulnerability

This is a nasty security vulnerability by which virtually anyone could easily gain access to your database credentials and everything else. It allows a remote attacker to download any file from the server, including the wp-config.php file, which gives the hacker full access to your site. Sucuri shared an example of how one might easily access a site’s wp-config file by exploiting the vulnerability:

http://victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

“This type of vulnerability is known as a Local File Inclusion (LFI) attack,” Sucuri explained. “The attacker is able to access, review, download a local file on the server.”

The Slider Revolution vulnerability was first disclosed via underground forums before the plugin’s author decided to patch it silently. A team of Bangladeshi hackers published a video on Youtube, detailing how to exploit sites that are vulnerable.

The cyber advisory issued on the security threat states that the vulnerability is being actively exploited in the wild. The vulnerability places small, medium, and large government and business entities at a high risk.

Sucuri analyzed WAF access logs and confirmed that today alone “there were 64 different IP addresses trying to trigger this vulnerability on more than 1,000 different websites within our environment.”

Users Advised to Update Slider Revolution Immediately

If you are using the Slider Revolution plugin on your site, you need to update immediately to avoid becoming a victim of this critical vulnerability. You should also scan your files and database for evidence of hacking and put hardening measures in place to prevent future attacks.

Although the issue was fixed in version 4.2 of the plugin, issued February 25th, the changelog simply referenced a “security fix.” Users have since commented on the product’s Codecanyon page to express outrage at not having been further notified:

You should have let us know to update immediately. I am signed up for notifications of updates, but the only way I found out about this was through the Sucuri blog.

The team at ThemePunch, the plugin’s creators, allegedly contacted multiple security companies for advice on the matter.

“We urgently discussed this security issue with leading Security Companies and we were strongly advised to go with a Silent Update,” a ThemePunch representative replied. They also referenced an auto update system that users can sign up for to receive notice in the future.

“We have an Update system for Auto Updates, for which you can register once you have purchased the item, which informs you about new updates.”

The Risk of Using Free or Commercial Extensions Without Update Notifications

If you are using a commercial plugin or theme that has no auto-update system or relies on email to notify you of updates, you need to be very proactive about keeping yourself informed. A critical security vulnerability, such as the one reported for Slider Revolution, can easily take down your site(s) if you neglect updates. Theme authors don’t always update their bundled plugins and their users cannot take advantage of the auto update system provided by the plugin author.

This particular security threat wouldn’t put so many sites in danger if the Slider Revolution plugin was not bundled into themes. Bundling commercial plugins with themes tends to obscure the details of how users can get plugin updates. Even with an update notification system, users are made vulnerable by developers who patch silently and don’t make an effort to notify their user base about a critical security update. Users can protect themselves from situations like this by declining to purchase themes that bundle plugins/functionality.

27 Comments


  1. Thanks for the quick notice, Sarah! I disabled and deleted the plugin. What jerks. Silent update, my A$$

    Report


    1. If you have not included autoupdate function contact their support at http://themepunch.ticksy.com with the license key of your theme. No need to cuss that has no help. Sarah please include this effort in your article as well. I have no connection with the envato just spreading a word.

      Report


      1. I totally disagree. The slider plugin was bundled in a theme that a PREVIOUS web developer installed for one of my clients. As such, I do not have the theme license key. There is NO WAY that I would ever have known about this extreme vulnerability had Sucuri not released it.

        The bundling of premium plugins in purchased themes is maybe a practice that needs further discussion, for just this very reason. There are, however, excellent theme designers who do it the right way, like http://www.web-savvy-marketing.comwho give you a personal license to any premium plugins that are included.

        On an aside, the one three-letter word that I used is mild in comparison to the damage that was caused by the author’s “silent update” strategy.

        Report


  2. If you have purchased a theme that included this plugin prior to the update going out you may need to contact that theme developer or ensure a fixed version is packaged with the theme you have purchased also – many themes have this plugin included, which in turn only allows updates to occur if the theme developer issues an update with a fixed version of the plugin

    Report


    1. Yes just be careful though that when you upgrade the plugin you also may need the latest version of that theme installed first as I saw a note from a theme developer yesterday..

      Report


  3. Hi Sarah,
    4 days ago I did an article of my misadventure and hacking with Revolution Slider -> http://goo.gl/UKg9sB (fell free to remove that link)

    So far I have not given the means for others to replicate this hack, but the way to protect… I’ve also warned the authors (theme and plugin)

    In my opinion it is dangerous to give this line of code and the explanatory video hackers…

    Report


  4. Considering that there are hundreds of commercial themes sold with Slider Revolution embedded this is a bit scary because for sure not all theme dev will update or warn their users.

    Regarding your suggestion to not buy themes with embedded plugins is a good point, but you can save a lot of money doing this.

    Report


  5. Wowzers, that really is a security flaw! Thing is, without some way to reliably inform users (some of whom will not check their sites regularly of course) this kind of plugin-caused vulnerability will no doubt crop up again and again… Quite disturbing really!

    Report


  6. Just a quick note, this issue was originally fixed in February by themepunch, the developers of Revslider. With that being said, Avada is always up-to-date with the included plugins.

    Always remember to update your theme and plugins. Both the theme and plugin have WordPress built-in plugin updater. Enter your purchase key in the right area (always mentioned in the documentation) and update regularly. This goes for all themes and plugins.

    Report


  7. Security issues are serious and anyone who is using the plugin should update.

    For the Avada theme, which does include the Revolution Slider plugin, the theme and plugin were updated back in February. Simply update your theme to the latest version.

    And it is also recommended to update to Avada 3.5 or higher, because there is now an auto updater which will notify you of updates.

    Thanks!

    Report


  8. Too bad WordPress won’t allow paid plugins to be sold through wordpress.org (and why paid themes but not plugins?). Since they don’t, we are left with a patchwork of different web sites and auto-updaters. C’mon WordPress, it’s time to make an ‘app store’ so we can get updates from one place and keep our blogs secure.

    Report


  9. I’m not exactly thrilled with premium plugins being packaged into themes but this is such a silly statement: “Users can protect themselves from situations like this by declining to purchase themes that bundle plugins/functionality.”

    With the same logic, users shouldn’t use any product that has ever had a security flaw. Like WordPress itself?

    Report


  10. I’ve written up how to manually patch older Revolution Sliders to fix this, at http://goo.gl/OdsV4E
    The patch is easy to apply – just needs one new function and replace a couple of lines in another.

    Report


    1. John – Thanks for sharing that. Might be helpful for those who no longer have access to plugin updates or those who are using themes where the theme author isn’t bothering to provide an update.

      Report


  11. Hi All,

    I just wanted to link to a post about this from Envato (disclaimer I work for them): http://marketblog.envato.com/general/plugin-vulnerability/.

    That post outlines what we’re doing, links to a list of themes which were potentially affected, and has information for users on to get an updated version of the plugin (they can get this for free) etc.

    We’ll be be contacting all buyers of the potentially affected themes via email address and making sure they are aware of the situation and what they should do.

    We’ve been going through the list of potentially affected items, checking them and disabling if they still have an affected version of the plugin. Once the authors have updated their themes to include a fixed version of the plugin, we’ll re-activate them.

    Any questions, let me know! Also, if anyone notices any security issues with a ThemeForest or CodeCanyon item in future, please let me know so we can take action.

    Cheers,
    Stephen

    Report


  12. Revolution Slider was bundled with the theme we purchased from ThemeForest for our site, along with Visual Composer. I found that both of these tools were not receiving updates anywhere near the frequency via the bundle vs the individual licensing/download route. I ended up purchasing additional individual licenses so I could keep both plugins up-to-date. I’ve since taken the position that any premium plugins that are ‘bundled’ with a theme or other plugin will need to also be purchased separately in order to access more frequent updates and maintain the integrity/security of my WordPress installation.

    Report


  13. I still don’t get how would you access the database if that particular website servers doesn’t allow remote access?

    Report


    1. Just log into your Envato Market account and re-download the plugin. It doesn’t cost you anything more.

      Report


      1. My plugin comes with the theme unfortunately and I wont pay for it to get the updated version

        If I am wrong send me he link where I can do so

        Thanks

        Report


      2. Then re-download the theme. If the author hasn’t updated it yet with the latest version of the plugin, send them a message and have them do it.

        Report


  14. Big Thanks to John Buckner for the Slider 4.2 Revolution Security Patch!
    Woot Woot! Much love, coffee, hipsters, and passive/aggressiveness from Seattle.

    Report


  15. Would also be good to install WordFence to protect against this sort of thing.

    Report

Comments are closed.