06 Sep

WP Plugin Exploits: Many Themes At Risk!

Recently disclosed WordPress Plugin vulnerabilities/exploits have left over 1,000 Wordpress Themes vulnerable, and in turn many thousands of sites at risk. This is because the vulnerable plugins have been included with/integrated into many commercial WordPress themes.

These plugins are Revolution Slider and Showbiz Pro, both sold as standalone plugins on CodeCanyon.net, but also integrated into hundreds of WP themes sold on Themeforest.net.

Revolution Slider & Showbiz Pro Plugins

Both of these WordPress plugins are by ThemePunch, and are sold as stand-alone WordPress plugins on CodeCanyon. Revolution Slider is the most popular and widely used of the two. You can check the version number your site is using by going to the Plugins page in your WP Admin.

Revolution Slider
Vulnerable versions:  earlier than v4.2 (released Feb 2014).

Showbiz Pro
Vulnerable versions: earlier than v1.5.3 (released Jan 2014).

Both plugins have been updated some time back by the plugin developer, to address the vulnerability. If you have either of these two plugins then you are urged to update to the latest version immeditately!  Fortunately, if you bought these as a plugin, the upgrade process is easy – re-download from your CodeCanyon account, and upload.

Envato (owners of CodeCanyon & ThemeForest) have posted about the plugin vulnerability here.

1,099 Wordpress Themes Vulnerable

These plugins (particularly Revolution Slider) are used in *many* commercial WP themes which are sold on Themeforest, including some of the top selling themes on the site – which means many thousands of WordPress sites are vulnerable to the exploits.

Unfortunately, when theme developers integrate a plugin such as these into a WP theme, they are not usually handled as a seperate plugin (in the /wp-content/plugins/ folder) as such, but instead form part of the theme script and reside in the theme folder.

This means it’s not as easy as updating the plugin via the Plugins page in the WP admin. Instead you will need to check that the theme developer of the theme you are using has updated their theme to include the updated version of the plugin, and then you will have to download the theme again and upload.

This becomes a hassle if you have made changes to the theme code or it’s template files as your changes will be overwritten unless you have created a child theme containing your changes. Situations like this highlight the advantages of using child themes when creating a WordPress site, as updating the theme becomes hassle free.

Envato have published a list of affected themes here:

Updated Theme Not Available Yet?

Envato have advised theme developers of the issue, but some may take some time to get their theme updated and uploaded for customers to update their sites.

Wordfence - WordPress Security PluginIn this case, you can install the Wordfence security plugin which we had mentioned in our WordPress Security Tips article. This is a great plugin to help keep your site secure, and it’s free. We have tested the plugin and can confirm it successfully blocks hacker attempts to exploit the vulnerability in these plugins.

Alternatively, you could add the following lines to your .htaccess file in the root folder of your site to restrict attempts to grab the wp-config.php file. However this won’t stop vulnerable sites exposing other files the attacker may try to retrieve.


About The Vulnerability

The Revolution Slider vulnerability easily allows an attacker to craft a URL to get the plugin to retrieve a local file on the server (aka Local File Inclusion). The exploit which has been posted on hacking sites shows that it can easily give the attacker the wp-config.php file, which contains crucial security details for your site, such as the database name, user and password.

The weakness and exploit are covered very well on the Sucuri Blog:

The exploit was posted on Sept 1, 2014 – and hackers are busy finding vulnerable sites to exploit.

Just to test the seriousness of the threat, we ran a quick google search for sites running some of the affected themes and we were able to access their wp-config.php files with ease without any extra tools or scripts – the exploit is easy and very real.


Related Links

We hope you find this post useful, and welcome any feedback via the comments below.

Featured image By: Nick Carter.

Related Posts