27 Comments

  1. Brenda Malone

    Thanks for the quick notice, Sarah! I disabled and deleted the plugin. What jerks. Silent update, my A$$

    Report

    • help

      If you have not included autoupdate function contact their support at http://themepunch.ticksy.com with the license key of your theme. No need to cuss that has no help. Sarah please include this effort in your article as well. I have no connection with the envato just spreading a word.

      Report

      • Brenda

        I totally disagree. The slider plugin was bundled in a theme that a PREVIOUS web developer installed for one of my clients. As such, I do not have the theme license key. There is NO WAY that I would ever have known about this extreme vulnerability had Sucuri not released it.

        The bundling of premium plugins in purchased themes is maybe a practice that needs further discussion, for just this very reason. There are, however, excellent theme designers who do it the right way, like http://www.web-savvy-marketing.comwho give you a personal license to any premium plugins that are included.

        On an aside, the one three-letter word that I used is mild in comparison to the damage that was caused by the author’s “silent update” strategy.

        Report

  2. akismet-940d3863f1a80fb264741ccfbce2570a

    If you have purchased a theme that included this plugin prior to the update going out you may need to contact that theme developer or ensure a fixed version is packaged with the theme you have purchased also – many themes have this plugin included, which in turn only allows updates to occur if the theme developer issues an update with a fixed version of the plugin

    Report

    • Roland Kenny

      Yes just be careful though that when you upgrade the plugin you also may need the latest version of that theme installed first as I saw a note from a theme developer yesterday..

      Report

  3. WP Formation

    Hi Sarah,
    4 days ago I did an article of my misadventure and hacking with Revolution Slider -> http://goo.gl/UKg9sB (fell free to remove that link)

    So far I have not given the means for others to replicate this hack, but the way to protect… I’ve also warned the authors (theme and plugin)

    In my opinion it is dangerous to give this line of code and the explanatory video hackers…

    Report

  4. Marco Ragogna

    Considering that there are hundreds of commercial themes sold with Slider Revolution embedded this is a bit scary because for sure not all theme dev will update or warn their users.

    Regarding your suggestion to not buy themes with embedded plugins is a good point, but you can save a lot of money doing this.

    Report

  5. Brin Wilson

    Wowzers, that really is a security flaw! Thing is, without some way to reliably inform users (some of whom will not check their sites regularly of course) this kind of plugin-caused vulnerability will no doubt crop up again and again… Quite disturbing really!

    Report

  6. Muhammad Haris (@mharis)

    Just a quick note, this issue was originally fixed in February by themepunch, the developers of Revslider. With that being said, Avada is always up-to-date with the included plugins.

    Always remember to update your theme and plugins. Both the theme and plugin have WordPress built-in plugin updater. Enter your purchase key in the right area (always mentioned in the documentation) and update regularly. This goes for all themes and plugins.

    Report

  7. ThemeFusion

    Security issues are serious and anyone who is using the plugin should update.

    For the Avada theme, which does include the Revolution Slider plugin, the theme and plugin were updated back in February. Simply update your theme to the latest version.

    And it is also recommended to update to Avada 3.5 or higher, because there is now an auto updater which will notify you of updates.

    Thanks!

    Report

  8. Leslie

    Too bad WordPress won’t allow paid plugins to be sold through wordpress.org (and why paid themes but not plugins?). Since they don’t, we are left with a patchwork of different web sites and auto-updaters. C’mon WordPress, it’s time to make an ‘app store’ so we can get updates from one place and keep our blogs secure.

    Report

  9. The Hound

    I’m not exactly thrilled with premium plugins being packaged into themes but this is such a silly statement: “Users can protect themselves from situations like this by declining to purchase themes that bundle plugins/functionality.”

    With the same logic, users shouldn’t use any product that has ever had a security flaw. Like WordPress itself?

    Report

  10. John Buckner

    I’ve written up how to manually patch older Revolution Sliders to fix this, at http://goo.gl/OdsV4E
    The patch is easy to apply – just needs one new function and replace a couple of lines in another.

    Report

    • Sarah Gooding

      John – Thanks for sharing that. Might be helpful for those who no longer have access to plugin updates or those who are using themes where the theme author isn’t bothering to provide an update.

      Report

  11. Stephen Cronin

    Hi All,

    I just wanted to link to a post about this from Envato (disclaimer I work for them): http://marketblog.envato.com/general/plugin-vulnerability/.

    That post outlines what we’re doing, links to a list of themes which were potentially affected, and has information for users on to get an updated version of the plugin (they can get this for free) etc.

    We’ll be be contacting all buyers of the potentially affected themes via email address and making sure they are aware of the situation and what they should do.

    We’ve been going through the list of potentially affected items, checking them and disabling if they still have an affected version of the plugin. Once the authors have updated their themes to include a fixed version of the plugin, we’ll re-activate them.

    Any questions, let me know! Also, if anyone notices any security issues with a ThemeForest or CodeCanyon item in future, please let me know so we can take action.

    Cheers,
    Stephen

    Report

  12. Tim G.

    Revolution Slider was bundled with the theme we purchased from ThemeForest for our site, along with Visual Composer. I found that both of these tools were not receiving updates anywhere near the frequency via the bundle vs the individual licensing/download route. I ended up purchasing additional individual licenses so I could keep both plugins up-to-date. I’ve since taken the position that any premium plugins that are ‘bundled’ with a theme or other plugin will need to also be purchased separately in order to access more frequent updates and maintain the integrity/security of my WordPress installation.

    Report

  13. thegoodhireguide

    I still don’t get how would you access the database if that particular website servers doesn’t allow remote access?

    Report

  14. thegoodhireguide

    I believe these mistakes has been made by purpose so people have to buy their new updates …

    Report

  15. ninjaseattle

    Big Thanks to John Buckner for the Slider 4.2 Revolution Security Patch!
    Woot Woot! Much love, coffee, hipsters, and passive/aggressiveness from Seattle.

    Report

  16. Jesse Gonzales

    I created a video of how to update it if anyone needs help. Good luck guys!
    How to update slider revolution aka rev slider aka revolution slider – https://www.youtube.com/channel/UCRviPdezItDODicor0iHkXA

    Report

  17. Jim Walker

    Of course it doesn’t end here. Hackers love this exploit… https://plus.google.com/+Hackrepair/posts/eokFRJEmrZD

    Report

  18. Granulr

    Would also be good to install WordFence to protect against this sort of thing.

    Report

Comments are closed.

%d bloggers like this: