Monday, September 15, 2014

WordPress Slider Revolution plugin critical vulnerability

Attention WordPress users! If you use a premium theme that has bundled with it the "Slider Revolution" plugin (one notable and extremely popular theme that includes this is Avada), then you need to upgrade your theme immediately.

There has been a critical security vulnerability found, as reported by the Sucuri security company, who specialize in WordPress security issues, and also WPTavern. The Sucuri article carries much more detailed information about what this exploit can do, but it might be a difficult read for some users.

Since there are WordPress vulnerabilities that are disclosed just about every day, you might wonder why this particular one rates a post in our status blog. Not only is this a particularly nasty exploit, but the fact that it involves a plugin that's included in premium themes, and therefore makes it more difficult for the average WordPress site owner to upgrade, or even receive a notification of the upgrade being available.

As Sarah Gooding states in the WPTavern article:
The Risk of Using Free or Commercial Extensions Without Update Notifications

If you are using a commercial plugin or theme that has no auto-update system or relies on email to notify you of updates, you need to be very proactive about keeping yourself informed. A critical security vulnerability, such as the one reported for Slider Revolution, can easily take down your site(s) if you neglect updates. Theme authors don’t always update their bundled plugins and their users cannot take advantage of the auto update system provided by the plugin author.
In addition, the Developers of the Slider Revolution plugin chose not to announce there was a security issue, nor notify users of the importance of this upgrade. It's possible a good number of WordPress owners have no idea there's a security issue, and when that involves a very popular WordPress theme, that can be a recipe for disaster.

 Envato (the marketplace that sells most WordPress premium themes) has releases a comprehensive list of the themes possibly affected by this vulnerability. I would urge you to check to see if your WordPress theme is on that list, and update accordingly.
To upgrade a premium theme such as Avada, you'll need to login to your account with the Envato marketplace. If you have trouble logging in I would recommend contacting Envato support.

We are already seeing scans for this vulnerability, so upgrading immediately is vital.

"GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

We've taken steps to block any requests for that URL in Mod_Security, this should be a temporary fix until all users can upgrade their affected themes.

We do all we can to assist our hosting users and keep your websites and data safe, but ultimately it's your responsibility for what software is installed and used on your website, and your responsibility to keep it updated (per our Terms of Service).

WordPress can be deceptively simple to use, but the back-end is very powerful. And with great power, comes great responsibility.If this is something that's beyond your ability to handle, hire a knowledgeable WordPress admin (like us!). The cost of having someone who knows what they're doing at the helm is far less than what it would cost, in time, money, and lost business reputation to deal with your WordPress site being hacked.

To stay updated and notified of available WordPress updates, you should have email notifications of updates enabled in your WordPress dashboard, or (if you're our hosting customer) through Installatron.

To be notified of general Internet and hosting security issues, please either subscribe to this blog, and/or follow us on Facebook, Tumblr, or Twitter.