Critical Slider Vulnerability

A critical vulnerability was discovered in a popular WordPress slider plugin called “Slider Revolution” which allowed the hacker to download your ‘wp-config.php’ file and access your database. This type of attack is known as LFI (Local File Inclusion) – where the attacker is able to access and download important/sensitive files on your server.

When an attacker has access to the WordPress’s wp-config.php file, he or she basically has control over the database and can either insert malicious records/payloads into the database OR if the attacker wants to cause harm, delete all your content with click of a button.

This is serious folks, and should be addressed immediately.

Is my WordPress site vulnerable?

If you’ve installed the Slider Revolution plugin, then yes, you should contact the plugin vendor and get and updated version immediately. Don’t wait until your site is hit.

If you’re using a premium theme, you might want to check with the theme developer and ask them if the this slider plugin is included in the theme. Some of the premium themes have this plugin as part of the package.

What to do next?

If you have access to your server logs, you might want to check/look for the following string pattern – “revslider_show” to see if anyone is scanning your site for this vulnerability.  If you have SSH access to your hosting account, you can issue the following command in the Apache log directory:

egrep -ri ‘revslider_show’ *

If you don’t have SSH access, then download the access log file via FTP and then run a search for that string “revslider_show”.

You’d probably see lots of probes from multiple IPs. These probes are just automated scans by various hackers looking for this vulnerability. If you don’t have this plugin installed (or a theme that has this plugin), you’re safe.

See the screenshot below of access logs on fwguys.com.  I’ve blacked out the domains for privacy and highlighted the offending IP addresses in red.

wp-revolution-slider-vulnerability
If you’re hosting provider and you provide WordPress hosting for your clients, then you should take action immediately and warn your client to update this plugin or your server may be compromised.

Credit:  This vulnerability was discovered by Mika Ariela Epstein, a WordPress support guru at Dreamhost. You can follow her tweets here