Critical vulnerability in slider plugin for Wordpress Slider Revolution

Blog Categories

Basket of services

Company news

Thursday, 24 December 2015: Merry Christmas and Happy New Year!
Monday, 20 April 2015: Accepting payments through payment system Webmoney and Z-Payment restored
Saturday, 18 April 2015: Unavailable accepting payments via Webmoney and Z-Payment
Thursday, 05 March 2015: To order new services are available - DNS hosting and secondary DNS server
Wednesday, 25 February 2015: Added new ways to pay for services

Recent blog posts

Critical vulnerability in slider plugin for Wordpress Slider Revolution

Friday, 13 March 2015 02:03

Back in September 2014 published a critical vulnerability in the popular plugins for Wordpress Slider Revolution, but to this day we meet a lot of sites exposed the vulnerability.

The vulnerability allows, with absolutely no rights on your site, download wp-config.php file to your site, which contains your data to access the database. With these approaches, an attacker can easily gain control over your site. Vulnerability affects all versions of the plug-in to version 4.1.4. The situation is complicated by the fact that this plugin is not free, it cost $ 18, and so many people from CIS countries use on their websites older versions downloaded from free resources, subject to this vulnerability because they do not have access to updates.

Query, download your config looks like this:

http://websait.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

You can replace websait.com address of your website and enter this query in the address bar of your site.

However, even if it does not download a file to your config, it does not mean that your site is not vulnerable. Check the version of the plug, if it is lower than 4.1.4, you should in any case be updated and check your website for hacking.

Currently available plug-in Patch for Revolution Slider, which supposedly closes this vulnerability. So whether it is in fact, we unfortunately did not check.

At any time you can get help from our experts, we will help to update the plug-in, close the vulnerability, delete malicious code and protect your site from hacking.