An exploit in a WordPress plug-in has resulted in the infection of over 100,000 WordPress websites since Sunday. And what is worse, because the plugin is bundled with many themes, many webmasters might be unaware that they use it and are not getting plugin update reminders for what has been termed as a Zero Day exploit.
The exploited plugin is called Slider Revolution, a popular slideshow plugin utilized by many WordPress theme designers also known as RevSlide. It is a premium plug-in, which means users paid for the use of the plugin. But incredibly, even though the exploit was known and fixed earlier this year, RevShare never announced that there was a problem with the plugin being exploited, leaving many webmasters unaware of the urgency required to fix it. They also have a second plugin, ShowBiz Pro, that is also affected by the same exploit.
ThemePunch, the plugin creator, commented that they were instructed not to make the exploit public so that hacking instructions would not be easily available. While spammers have been using the back door to hack sites months ago, this major attack began on Sunday.
The exploit works simply by accessing a specific URL, which makes the wp-config.php file available to the hackers, who then have full database credentials to the site.
For RevSlide, you need to have version 4.2.0 or newer to be safe, which was released in February 2014. For ShowBiz Pro, you need 1.5.3 or later, which was released in January 2014.
What makes this exploit worse, and harder to discover, is that this plug-in is also quietly bundled with many theme packages, so even if you don’t remember specifically installing this plug-in, it may have been used by the designer of your theme, and as such does not auto-update to the latest version and you will be unaware that there could be a possible exploit. And even worse, many of these theme designers are still selling their WordPress themes with an older version of RevSlide, meaning even if you purchase the theme today, you can still be exploited.
Envato Market has a great updated list detailing all the themes they are aware of that are affected by this exploit. It also details which themes have updated the included RevSlide and those which have not.
Google has also blocked many of these sites in their search results, in an attempt to limit the damage. So if your site is infected, potential visitors are going to see an alert that states the website contains malware and that they should not visit the website. If your site is infected, and Google has discovered it, there should also be an alert in your Google webmaster tools that your site contains malware.
Security site Sucuri, which was also the first site to detail this latest exploit, also offers a free scanner you can use to automatically check websites for malware, which can be handy for sites that have been exploited that have not yet been discovered by Google.
It is recommended that you update the plugin immediately. Some are recommending to replace the swfobject.js and template-loader.php files to remove the exploit. But if your site has already been exploited, you will also need to change your database credentials as well, as the hackers will still have that information for your site to re-hack.
This also serves as a reminder that is always very important to keep WordPress updated, and not just WordPress itself but also all the plug-ins and themes you use. As is seen in this case, sometimes there are so-called Zero Day exploits that are fixed, yet aren’t publicized, so you may not know when there’s a severe vulnerability that you need to update to fix.
Jennifer Slegg
Latest posts by Jennifer Slegg (see all)
- 2022 Update for Google Quality Rater Guidelines – Big YMYL Updates - August 1, 2022
- Google Quality Rater Guidelines: The Low Quality 2021 Update - October 19, 2021
- Rethinking Affiliate Sites With Google’s Product Review Update - April 23, 2021
- New Google Quality Rater Guidelines, Update Adds Emphasis on Needs Met - October 16, 2020
- Google Updates Experiment Statistics for Quality Raters - October 6, 2020
Michael Finegold says
The makers of Revslider have already dealt with that issue, no longer relevant.
Jennifer Slegg says
Yes, they had fixed it but there were many websites hit at the time the article was written that didn’t even realize it. There were also two issues… they never announced there was an issue so that users could be sure they were updated (which they did explain why they didn’t notify people until very recently). And many users had this plugin bundled in with various themes, which meant it wouldn’t use the auto-update plugin function within WordPress and theme creators are still distributing themes with the exploited plugin bundled in. The huge number of sites affected (and are still affected) shows that while Revslider fixed the issue, there are many who still need to update it themselves too.
Andor Rosenberg says
Hi Jennifer,
I think it is important to avoid insinuating that this is WordPress exploit. It is not. It is an third party plugin exploit. I strongly suggest you rephrase your title to avoid hundreds and thousands of WordPress designers and developers being questioned by their clients about the stability and security of WordPress.
– Andor Rosenberg.
Jennifer Slegg says
The article is quite clear it isn’t an exploit within WordPress but with a plugin used in conjunction with WordPress. Unfortunately, many users are not even aware they are using this plugin because it was bundled in with themes released by various theme designers, which meant it would not auto-update for them.