Old Revolution Slider Pre 4.2 Vulnerabilty Explained

We decided to write this article due to reports of a supposedly “new” exploit (first seen in public on the 28th of March 2015) in our popular Slider Revolution WordPress Plugin and want to share with you, why you are NOT in danger if you are using at least version 4.2 (released last year, in February 2014).

In the following chapter we are going to explain in layman’s terms how the old vulnerabilty in Revolution Slider Versions 4.1.4 and below is working and why our plugins are safe now.

The structure of WordPress is build in a way that the frontend and backend are strictly separated.
This is, so that frontend users cannot call or make use of any backend functionality.
Furthermore, this makes sure that no attacker can utilise any functions that modify the database, files or markup of the website. Having the ability to use these functions would lead to an easy way of intrusion for an attacker in many plugins and WordPress itself.

WordPress has inbuild functionalities for plugins and themes to make so called ajax requests.
This means that data is transfered to the server directly and plugin and theme authors can handle these requests to modify or change settings, for example.
The problem here is that these ajax requests are not secure by themeselves, and can be handled by both, frontend and backend.

The developer is responsible for securing this data as there is no native check by WordPress to see if the received data is coming from an authorized user or from someone without access rights.
Hackers try to make use of requests that are only designed for the backend as these might use functions that can allow to inject code into the database.
In order to help make ajax requests secure, WordPress introduced the following functions in version 2.0.3:

wp_create_nonce() and wp_verify_nonce()

wp_create_nonce('unique_identifier');
creates a unique token, to be used in the backend and which is unknown to a possible attacker.

The result of this function should be send along with the ajax requests and verified by this function

wp_verify_nonce($the_send_nonce, 'unique_identifier');.

Doing this, will secure the whole ajax process and no intruder can do harm to the website.

Slider Revolution versions below 4.1.4 have a security issue as there was no check made with the functions described above.
As the plugin contained a lot of functionality at that time, it also had more than 20 different ajax requests which an attacker could use to break into WordPress.
Beginning with version 4.0 and 4.2 we added all the missing checks for our ajax requests, fixing the vulnerabilty.

All self-proclaimed “new” exploits that have been showing up recently are making use of the old pre 4.2 vulnerabilty.

Again, as long as you are running Revolution Slider 4.2+ you are perfectly safe.

Even though developers, including ourselves, are working as thorough as possible, the increasing complexity of plugins and WordPress itself always leaves a small chance for bugs and possible security problems.

WordPress itself has had quite a few serious vulnerabilities during the course of the last years, which should stress the most important thing to remember for anyone running a WordPress site:

Always keep your Plugins and WordPress versions up to date!

Here is a list of links that will help you update your version of Slider Revolution and how to easily stay up to date in the future:

How to update if you purchased the Plugin directly from us
How to update your Plugin if it came bundled with a theme
Never miss an update with PunchGuider
Free updates for themes that contained a vulnerable Revolution Slider

If you haven’t done it already, we would advise you to install a WordPress firewall plugin as soon as possible.

A firewall can block unauthorized access to your WordPress installation and even prevent the usage of vulnerabilities in a plugin.

Wordfence users were not affected by the vulnerability in Slider Revolution in versions pre 4.2 as the plugin succesfully blocked the intrusion attempts.

Our recommendations:

Wordfence
iThemes Security

Even if you updated from a vulnerable Slider Revolution version to a secure one (4.2+), hackers might have planted malware on your system that allows them to gain access to your WordPress installation via a backdoor.

Here is a comprehensive guide to removing the SoakSoak Virus / Malware:
Remove SoakSoak Virus / Malware – by graphicpilot.com

We hope that this article sheds some light on the cause of the original vulnerability in Slider Revolution pre 4.2 versions and helps you to run a secure WordPress installation.

News about a self-proclaimed “new” vulnerabilities like this one actually refers to the old pre 4.2 vulnerability.

After urging the author to correct his statement, he added the note “The XSS works on RevSlider 4.1 and older”

Please DO NOT use the so called “fix” by the above author in an attempt to close a security vulnerability that we already patched officially over a year ago in february 2014 (Version 4.2). The “fix” by the above author will NOT close the security vulnerabilty.

The only way to be secure is to update your plugin as explained here, install a firewall plugin and check your system for possible malware infections.

Thanks for reading!

Your Team @ ThemePunch