Attackers are actively exploiting a critical vulnerability in a WordPress plug-in that's used by a large number of themes, researchers from two security companies warned Wednesday.
The vulnerability affects versions 4.1.4 and older of Slider Revolution, a commercial WordPress plug-in for creating mobile-friendly content display sliders. The flaw was fixed in Slider Revolution 4.2 released in February, but some themes -- collections of files or templates that determine the overall look of a site -- still bundle insecure versions of the plug-in.
The vulnerability can be exploited to execute a local file inclusion (LFI) attack that gives hackers access to a WordPress site's wp-config.php file, researchers from Web security firm Sucuri said in a blog post. This sensitive file contains database access credentials that can be used to compromise the whole site, the researchers said.
In February, ThemePunch, the developer of Slider Revolution, mentioned in the release notes of version 4.2 that a security issue had been fixed but didn't release any additional details about the problem or its impact.
Information about the vulnerability circulated on underground forums for several months, but on Sept. 1 someone posted a proof-of-concept exploit for it on a public site, including a list of WordPress themes that are likely affected, security researchers from Trustwave said Wednesday in a blog post. "Our web honeypots picked up increased scanning activity today."
Sucuri researchers also observed attempts to exploit the vulnerability. "Today alone, there were 64 different IP addresses trying to trigger this vulnerability on more than 1,000 different websites within our environment," they said.
Slider Revolution is sold via CodeCanyon.net, an online market for Web scripts and other components. The plug-in is bought by regular site owners, but also by WordPress theme developers who then bundle it inside their products to enable content slider functionality.
The problem is that when bundled with themes, Slider Revolution's automatic update mechanism is typically disabled. Users then have to rely on theme authors to update the plug-in along with their themes, which in many cases doesn't happen.
"We fix all issues within hours," a technical support representative for Damojo, the Cologne, Germany, company that owns ThemePunch, said Thursday via email. "As you know it is essential that all your plugins, WordPress and servers are always updated with the latest releases. Our direct customers do and can update their plugin regularly and automatically if they choose to."
"The main issue is that theme authors that bundled the slider within their theme did not update the plugin for their customers," the Damojo representative said. "The hint 'Security Fix' [in the release notes] should have ringed some bells. Why haven't they updated the plugin since February?"
The latest version of Slider Revolution is 4.6, released on Aug. 25, but this particular vulnerability only affects versions older than 4.2.
The Damojo representative advised users to check if their themes contain a vulnerable version of the plug-in and to contact the theme authors in case they do, adding that the company shouldn't be blamed for someone else's failures.
This incident highlights yet again the risks of insecure third-party code reuse, a widespread problem that affects all types of software, not just Web applications and WordPress themes.
Many developers use third-party components and libraries in their own software projects and fail to keep up with their security updates. This can lead to situations where a vulnerability is identified and fixed in a software package, but lingers on for months or years in other applications.