The security team at Sucuri publicized a critical vulnerability found in the WordPress Slider Revolution plugin recently. The bug has since been patched, but the development team for Slider Revolution kept silent about it and did not notify their users of the importance of updating.
The popular commercial slider plugin is hosted on Codecanyon, an offshoot of EnvatoMarket. The slider is bundled in theme packages, such as Avada, Themeforest’s top-selling theme. It’s also packaged with other popular themes such as X Theme, uDesign, and Jupiter, in addition to being used independently on thousands of websites.
Details of the Vulnerability
This is a nasty security vulnerability by which virtually anyone could easily gain access to your database credentials and everything else. It allows a remote attacker to download any file from the server, including the wp-config.php file, which gives the hacker full access to your site. Sucuri shared an example of how one might easily access a site’s wp-config file by exploiting the vulnerability:
http://victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
“This type of vulnerability is known as a Local File Inclusion (LFI) attack,” Sucuri explained. “The attacker is able to access, review, download a local file on the server.”
The Slider Revolution vulnerability was first disclosed via underground forums before the plugin’s author decided to patch it silently. A team of Bangladeshi hackers published a video on Youtube, detailing how to exploit sites that are vulnerable.
The cyber advisory issued on the security threat states that the vulnerability is being actively exploited in the wild. The vulnerability places small, medium, and large government and business entities at a high risk.
Sucuri analyzed WAF access logs and confirmed that today alone “there were 64 different IP addresses trying to trigger this vulnerability on more than 1,000 different websites within our environment.”
Users Advised to Update Slider Revolution Immediately
If you are using the Slider Revolution plugin on your site, you need to update immediately to avoid becoming a victim of this critical vulnerability. You should also scan your files and database for evidence of hacking and put hardening measures in place to prevent future attacks.
Although the issue was fixed in version 4.2 of the plugin, issued February 25th, the changelog simply referenced a “security fix.” Users have since commented on the product’s Codecanyon page to express outrage at not having been further notified:
You should have let us know to update immediately. I am signed up for notifications of updates, but the only way I found out about this was through the Sucuri blog.
The team at ThemePunch, the plugin’s creators, allegedly contacted multiple security companies for advice on the matter.
“We urgently discussed this security issue with leading Security Companies and we were strongly advised to go with a Silent Update,” a ThemePunch representative replied. They also referenced an auto update system that users can sign up for to receive notice in the future.
“We have an Update system for Auto Updates, for which you can register once you have purchased the item, which informs you about new updates.”
The Risk of Using Free or Commercial Extensions Without Update Notifications
If you are using a commercial plugin or theme that has no auto-update system or relies on email to notify you of updates, you need to be very proactive about keeping yourself informed. A critical security vulnerability, such as the one reported for Slider Revolution, can easily take down your site(s) if you neglect updates. Theme authors don’t always update their bundled plugins and their users cannot take advantage of the auto update system provided by the plugin author.
This particular security threat wouldn’t put so many sites in danger if the Slider Revolution plugin was not bundled into themes. Bundling commercial plugins with themes tends to obscure the details of how users can get plugin updates. Even with an update notification system, users are made vulnerable by developers who patch silently and don’t make an effort to notify their user base about a critical security update. Users can protect themselves from situations like this by declining to purchase themes that bundle plugins/functionality.
Thanks for the quick notice, Sarah! I disabled and deleted the plugin. What jerks. Silent update, my A$$