WordPress website owners using Revolution Slider need to check their WordPress plugins immediately. An exploit has been found, which allows a hacker to simply download your wp-config.php file. This allows them view to your database username, password, host and database prefixes. Using this information, it is then possible for the hacker to reset your WordPress password, email address and gain access to your site, or even just to delete all your database.
Websites are attacked by simply passing a simple web page request to the site, allowing the hacker to immediately download a copy of the site’s configuration file.
A quick search on Google produced a list of 12 million results which could be affected by this WordPress exploit. So far Theme Punch have sold nearly 35,000 copies of this plugin to end users and theme developers alike.
WordPress themes affected by the Revolution Slider exploit
Some of the WordPress themes affected by this exploit are outlined below. For a more up to date list, please check out this post on Envato’s Marketblog.
- X Theme (2nd highest selling theme)
- Bridge Theme
This is clearly a very popular premium plugin, and appears to be one of the most downloaded slider plugins from Envato’s Marketplace – Code Canyon. Revolution Slider also appears to be bundled in many theme packages so be sure to check your theme / plugins. If you’re not sure if you’re affected, simply contact your web designer or alternatively GiraffeDog. We will help secure your site and apply the update, but will need proof of purchase before we proceed.
Now, the vulnerability is being actively exploited in the wild. Yes, the vulnerability is severe enough that the attackers are able to compromise websites through it.
What to do if you are at risk?
If you’re not sure, simply disable the Revolution Slider plugin from your WordPress administration panel. This will stop the payload from running. Once you’ve done this, ensure you’ve got a replacement copy from either your theme developer, website designer or Theme Punch direct.
You should also reset your mySQL password, incase you’ve been exploited already. This will prevent the attacker from gaining access to your database remotely. If your host only allows access from localhost, you may be a little lucky, in that they may know your database password, but not be able to connect. If you’re using the same password for FTP or other sites, then you need to change this immediately.