Number: IRCNE2014092307
Date: 2014-09-07
According to “techworld”, attackers are actively exploiting a critical vulnerability in a WordPress plug-in that's used by a large number of themes, researchers from two security companies warned Wednesday.
The vulnerability affects versions 4.1.4 and older of Slider Revolution, a commercial WordPress plug-in for creating mobile-friendly content display sliders. The flaw was fixed in Slider Revolution 4.2 released in February, but some themes -- collections of files or templates that determine the overall look of a site -- still bundle insecure versions of the plug-in.
The vulnerability can be exploited to execute a local file inclusion (LFI) attack that gives hackers access to a WordPress site's wp-config.php file, researchers from Web security firm Sucuri said in a blog post. This sensitive file contains database access credentials that can be used to compromise the whole site, the researchers said.
Information about the vulnerability circulated on underground forums for several months, but on Sept. 1 someone posted a proof-of-concept exploit for it on a public site, including a list of WordPress themes that are likely affected, security researchers from Trustwave said Wednesday in a blog post.
"We fix all issues within hours," a technical support representative for Damojo, the Cologne, Germany, company that owns ThemePunch, said Thursday via email. "As you know it is essential that all your plugins, WordPress and servers are always updated with the latest releases. Our direct customers do and can update their plugin regularly and automatically if they choose to."
The latest version of Slider Revolution is 4.6, released on Aug. 25, but this particular vulnerability only affects versions older than 4.2.
- 3