[Honeypot Alert] Active Probes for WordPress revslider_show_image Plugin Local File Inclusion Flaw

A local file inclusion vulnerability in the WordPress Slider Revolution Plugin has been released:

Screen Shot 2014-09-03 at 2.45.12 PM

Apparently this vulnerability has been discussed on some underground forums for a couple months but it wasn't until these more main stream websites published data that we saw attackers start scanning for vulnerable sites. Our web honeypots picked up increased scanning activity today. Here is an example full audit log dump of the HTTP request from our ModSecurity WAF:

Screen Shot 2014-09-03 at 3.04.16 PM

In this attack example, the attacker is trying to access the WordPress config file in the hopes of obtaining sensitive data such as database credentials.


Update your WordPress Slider Revolution Plugin

Sucuri Security is seeing similar activity and it also reporting that the developer of this Plugin chose to silently patch this vulnerability. This did a disservice to the Plugin userbase to be aware of the problem and to prompt updating. A couple notes:

  • Updating this plugin may need to be done manually if your WP manager does not provide an interface for it.
  • Beware that "disabling' the Plugin may end up being superceded by the Theme and be re-enabled. You may need to remove it altogether if you can not update it.

Use WAF Protections

WAFs can be used to help prevent exploitation until you can get your systems updated. Trustwave's WebDefend WAF would block this attack either through a generic "Directory Traversal Attack" signature or through an anomaly of the learned resource profile. For ModSecurity WAF, we have added a new signature to our commercial rules feed:

Screen Shot 2014-09-03 at 3.55.26 PM

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.