Hackers exploit critical vulnerability in popular WordPress theme component

WordPress admins should check if their sites use the Slider Revolution plug-in and update it immediately, researchers said

Attackers are actively exploiting a critical vulnerability in a WordPress plug-in that's used by a large number of themes, researchers from two security companies warned Wednesday.

The vulnerability affects versions 4.1.4 and older of Slider Revolution, a commercial WordPress plug-in for creating mobile-friendly content display sliders. The flaw was fixed in Slider Revolution 4.2 released in February, but some themes -- collections of files or templates that determine the overall look of a site -- still bundle insecure versions of the plug-in.

The vulnerability can be exploited to execute a local file inclusion (LFI) attack that gives hackers access to a WordPress site's wp-config.php file, researchers from Web security firm Sucuri said in a blog post. This sensitive file contains database access credentials that can be used to compromise the whole site, the researchers said.

In February, ThemePunch, the developer of Slider Revolution, mentioned in the release notes of version 4.2 that a security issue had been fixed but didn't release any additional details about the problem or its impact.

Information about the vulnerability circulated on underground forums for several months, but on Sept. 1 someone posted a proof-of-concept exploit for it on a public site, including a list of WordPress themes that are likely affected, security researchers from Trustwave said Wednesday in a blog post. "Our web honeypots picked up increased scanning activity today."

Sucuri researchers also observed attempts to exploit the vulnerability. "Today alone, there were 64 different IP addresses trying to trigger this vulnerability on more than 1,000 different websites within our environment," they said.

Slider Revolution is sold via CodeCanyon.net, an online market for Web scripts and other components. The plug-in is bought by regular site owners, but also by WordPress theme developers who then bundle it inside their products to enable content slider functionality.

The problem is that when bundled with themes, Slider Revolution's automatic update mechanism is typically disabled. Users then have to rely on theme authors to update the plug-in along with their themes, which in many cases doesn't happen.

"We fix all issues within hours," a technical support representative for Damojo, the Cologne, Germany, company that owns ThemePunch, said Thursday via email. "As you know it is essential that all your plugins, WordPress and servers are always updated with the latest releases. Our direct customers do and can update their plugin regularly and automatically if they choose to."

"The main issue is that theme authors that bundled the slider within their theme did not update the plugin for their customers," the Damojo representative said. "The hint 'Security Fix' [in the release notes] should have ringed some bells. Why haven't they updated the plugin since February?"

The latest version of Slider Revolution is 4.6, released on Aug. 25, but this particular vulnerability only affects versions older than 4.2.

The Damojo representative advised users to check if their themes contain a vulnerable version of the plug-in and to contact the theme authors in case they do, adding that the company shouldn't be blamed for someone else's failures.

This incident highlights yet again the risks of insecure third-party code reuse, a widespread problem that affects all types of software, not just Web applications and WordPress themes.

Many developers use third-party components and libraries in their own software projects and fail to keep up with their security updates. This can lead to situations where a vulnerability is identified and fixed in a software package, but lingers on for months or years in other applications.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesintrusiontrustwavesecuritypatch managementSucuriDamojoExploits / vulnerabilities

More about Trustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place