A local file inclusion vulnerability in the WordPress Slider Revolution Plugin has been released:
Apparently this vulnerability has been discussed on some underground forums for a couple months but it wasn't until these more main stream websites published data that we saw attackers start scanning for vulnerable sites. Our web honeypots picked up increased scanning activity today. Here is an example full audit log dump of the HTTP request from our ModSecurity WAF:
In this attack example, the attacker is trying to access the WordPress config file in the hopes of obtaining sensitive data such as database credentials.
Recommendations
Update your WordPress Slider Revolution Plugin
Sucuri Security is seeing similar activity and it also reporting that the developer of this Plugin chose to silently patch this vulnerability. This did a disservice to the Plugin userbase to be aware of the problem and to prompt updating. A couple notes:
- Updating this plugin may need to be done manually if your WP manager does not provide an interface for it.
- Beware that "disabling' the Plugin may end up being superceded by the Theme and be re-enabled. You may need to remove it altogether if you can not update it.
Use WAF Protections
WAFs can be used to help prevent exploitation until you can get your systems updated. Trustwave's WebDefend WAF would block this attack either through a generic "Directory Traversal Attack" signature or through an anomaly of the learned resource profile. For ModSecurity WAF, we have added a new signature to our commercial rules feed:
