A major security flaw has been discovered in the most popular Wordpress slider plugin out there, Slider Revolution (aka Revolution Slider). It’s imperative that sites using the plugin update to the latest version immediately.
The vulnerability was first brought to my attention by Envato, the widely used theme and code marketplace (themeforest, codecanyon, etc.). From their notification:
This vulnerability allows attackers to access the servers of all sites using older versions of the Slider Revolution and Showbiz Pro (WordPress) plugins by ThemePunch. The vulnerability exists for all versions of Slider Revolution earlier than version 4.2 (released in February 2014) and all versions of Showbiz Pro (WordPress) earlier than 1.5.3 (released in January 2014).
The fact that this issue is so bad that it can provide server access to the attacker means that system administrators and site owners should get on top of this ASAP. If you host many wordpress sites, you can do a quick search via the command line to locate any sites using the plugin.
find / -type d -name 'revslider'
Once you’ve determined the sites using the offending plugin, you should download the latest version of slider revolution and update the installation by following these steps provided by Envato:
Make a backup of your site
Download the updated plugin
Locate the downloaded zip file on your computer and unzip it
Connect to your server using an FTP client and go to the wp-content/plugins/ folder
Upload the revslider and/or showbiz folders to the wp-content/plugins/ folder, overwriting the existing files
Log into WordPress and go to the Plugins page
Locate the updated plugins in the list and confirm the version(s) are secure
Update your server password