Print Page   |   Your Cart   |   Sign In
Technology
Group HomeGroup Home Blog Home Group Blogs

Hackers exploit critical vulnerability in popular WordPress theme component

Posted By Arizona Small Business Association, Friday, September 5, 2014

Attackers are actively exploiting a critical vulnerability in a WordPress plug-in that’s used by a large number of themes, researchers from two security companies warned Wednesday.

The vulnerability affects versions 4.1.4 and older of Slider Revolution, a commercial WordPress plug-in for creating mobile-friendly content display sliders. The flaw was fixed in Slider Revolution 4.2 released in February, but some themes—collections of files or templates that determine the overall look of a site—still bundle insecure versions of the plug-in.

The vulnerability can be exploited to execute a local file inclusion (LFI) attack that gives hackers access to a WordPress site’s wp-config.php file, researchers from Web security firm Sucuri said in a blog post. This sensitive file contains database access credentials that can be used to compromise the whole site, the researchers said.

In February, ThemePunch, the developer of Slider Revolution, mentioned in the release notes of version 4.2 that a security issue had been fixed but didn’t release any additional details about the problem or its impact.

Information about the vulnerability circulated on underground forums for several months, but on Sept. 1 someone posted a proof-of-concept exploit for it on a public site, including a list of WordPress themes that are likely affected, security researchers from Trustwave said Wednesday in a blog post. “Our web honeypots picked up increased scanning activity today.”

Sucuri researchers also observed attempts to exploit the vulnerability. “Today alone, there were 64 different IP addresses trying to trigger this vulnerability on more than 1,000 different websites within our environment,” they said.

Slider Revolution is sold via CodeCanyon.net, an online market for Web scripts and other components. The plug-in is bought by regular site owners, but also by WordPress theme developers who then bundle it inside their products to enable content slider functionality.

The problem is that when bundled with themes, Slider Revolution’s automatic update mechanism is typically disabled. Users then have to rely on theme authors to update the plug-in along with their themes, which in many cases doesn’t happen.

“We fix all issues within hours,” a technical support representative for Damojo, the Cologne, Germany, company that owns ThemePunch, said Thursday via email. “As you know it is essential that all your plugins, WordPress and servers are always updated with the latest releases. Our direct customers do and can update their plugin regularly and automatically if they choose to.”

“The main issue is that theme authors that bundled the slider within their theme did not update the plugin for their customers,” the Damojo representative said. “The hint ‘Security Fix’ [in the release notes] should have ringed some bells. Why haven’t they updated the plugin since February?”

The latest version of Slider Revolution is 4.6, released on Aug. 25, but this particular vulnerability only affects versions older than 4.2.

The Damojo representative advised users to check if their themes contain a vulnerable version of the plug-in and to contact the theme authors in case they do, adding that the company shouldn’t be blamed for someone else’s failures.

This incident highlights yet again the risks of insecure third-party code reuse, a widespread problem that affects all types of software, not just Web applications and WordPress themes.

Many developers use third-party components and libraries in their own software projects and fail to keep up with their security updates. This can lead to situations where a vulnerability is identified and fixed in a software package, but lingers on for months or years in other applications.

 

Contributor:  

Source: http://www.pcworld.com

Tags:  hackers  slider  wordpress 

Share |
PermalinkComments (0)
 

What's Happening?

Newsletter

Join our newsletter to know what's new and upcoming at ASBA! 

LET'S CONNECT!

Join ASBA

ASBA

ASBA is the most powerful resource for your business in Arizona. We ensure the tools we offer are valuable and support the growth, education and connections necessary for today’s top business minds.

LEARN MORE

Partner Program

ASBA

ASBA’s Partner Program delivers your brand throughout Arizona. Share insights, connect with small business and highlight your company’s involvement with the association. Contact us to get started.

LEARN MORE

RSVP

Coffee Connect with ASBA

REGISTER

Date: Held monthly
Time: Click for times based on location

RSVP

ASBA Speed Networking

REGISTER

Date: Check our calendar 
Time: Click for times based on location

Have Questions on Health Insurance?

Health Insurance

We can get the answers you need. Contact us!

LEARN MORE

COVID-19

COVID-19

COVID-19 resources small businesses need to know!

LEARN MORE

Upcoming Events

Health+Plus

Join ASBA at any of our upcoming events!

REGISTER

Association Management Software Powered by YourMembership  ::  Legal