Today, we learned of a critical vulnerability in the Revolution Slider plugin that is used on many WordPress sites.
The vulnerability was patched by ThemePunch in version 4.2, but that still leaves many sites with no protection. The fact that Revolution Slider is a popular plugin which is sometimes bundled with the purchase of a theme only complicates matters, as it does not update due to this. You might even have the plugin installed but never use it.
With this vulnerability, a remote attacker is able to download any file from the server. Database credentials are at risk in this scenario and the attacker is able to compromise a site via the database. This kind of vulnerability is a Local File Inclusion (LFI) attack. Local files on the server are able to be accessed and reviewed, completely compromising your site’s security.
Upon learning of the vulnerability with Revolution Slider, BWG quickly took action. We went through all our clients’ sites, one by one, to identify if they had the Revolution Slider plugin, and if they did, what version. After identifying where there was a threat we upgraded to the most recent version of the Premium plugin and tested for the vulnerability. Now our sites are all safe from this vulnerability caused by Revolution Slider.
Breaches of security and vulnerabilities happen more often than you think. The web is made up of thousands of different parts. All it takes is for an attacker to find a tiny crack in the system and they can exploit it. Personal files, medical records, credit card information, mailing lists and many more types of documents all have the potential to be stolen without the proper types of security in place.
BWG takes security very seriously. We keep tabs on what is going on around the web on a daily basis so that we can stay on top of issues like this. Upon hearing of a vulnerability, our team will spring into action to ensure our clients’ data is safe. Security needs to be a chief concern at any web design firm today.