14 DAY TRIAL // A serious security flaw in older versions of Slider Revolution Premium component for WordPress is currently heavily exploited, cybercriminals aiming at more than 1,000 websites in an attempt to trigger the vulnerability.
The developer of the plugin offered a patch for the glitch in version 4.2, back in February, for those who made the purchase directly from them; an auto-updater is included specifically for delivering emergency updates.
However, many vulnerable instances of the plugin are still available, running the risk of being targeted by cybercriminals.
Data from Sucuri shows that the attacks started on August 9, with a notable spike to more than 2,500 attempts on August 19; the activity cooled down towards the end of the month, with less than 500 attacks being recorded on August 30.
Available for $18 / €14k, Slider Revolution has more than 26,000 purchases on Envato Market and it is touted as the top-selling slider plugin on Codecanyon, “widely used by theme authors on Themeforest.”
According to Sucuri, a website could be compromised through stealing its database with usernames and passwords for administrator accounts.
“This type of vulnerability is known as a Local File Inclusion (LFI) attack. The attacker is able to access, review, download a local file on the server. This, in case you’re wondering is a very serious vulnerability that should have been addressed immediately,” says Daniel Cid, Sucuri CTO.
Users of Slider Revolution 4.1.4 and earlier are strongly advised to update to the latest release in order to be on the safe side.
“You should always keep the slider up to date like any other WordPress component but urgently need to do this when using Version 4.1.4 or below in order to fix the security issue. Please use the included autoupdate feature (we solve issues within hours and update nearly every two weeks if nothing special needs a faster frequency),” ThemePunch, the developers of the plugin, told Cid.
In some cases, users cannot rely on the auto-update function to receive the latest build of the software; this is because their version came bundled with a theme, whose author failed to run an update for Slider Revolution.
The solution for this is to contact the author of the theme and let them know about the security problem posed by the impossibility to update.
Installing the newest release is of utmost importance because the vulnerability has been shared on underground forums about two months ago. Its severity is very high and there is plenty of evidence that it is being actively exploited in the wild.