Slider Revolution (RevSlider) case study will explain the risks of “plug-ins that are out of license or have been moved to paid” and how to deal with vulnerabilities of such plug-ins.
What is the Slider Revolution (RevSlider) case?
The RevSlider incident was an incident in which “more than 100,000 sites were infected, even though the vulnerability fix patch for Slider Revolution had long been available. The licensing and update mechanism was a structural problem that increased the damage.
The attack first looked for a vulnerable file in RevSlider and obtained wp-config.php. It was a multi-stage attack that then uploaded a malicious program to the site, planted a “Filesman” backdoor, and then altered swfobject.js to inject malware that redirected visitors to soaksoak.ru (a rogue site) on every page.
The infected sites could not be fixed simply by removing the plug-ins, but had to deal with multiple backdoors and the RevSlider vulnerability at the same time, making the incident notoriously difficult to clean up.
Why were 100,000 sites infected when the vulnerabilities had already been fixed?
Because RevSlider was a paid-for plugin, only users who purchased the plugin directly could receive automatic updates on their WordPress dashboard. In some cases, site administrators were not even aware that the plugin was installed if they were using RevSlider in the form of a theme bundled with it, and they did not receive automatic update notifications.
Users who continued to use the plugin before it was paid for and could not update it, or who did not activate it and could not update it, were also affected.
Vulnerability Countermeasures for Unlicensed or Expired Paid Plug-ins
To prevent vulnerabilities, including plug-ins, we recommend that you always check for vulnerabilities in plug-ins, which account for 60-70% of all WordPress hacks.
Plugin Vulnerability Search System
If you have not yet activated your license, we recommend that you activate your license and update it.
If the vulnerability is in a plugin that is difficult to update, the best thing to do is to stop and remove the plugin, but this may be difficult if the plugin is used as a site feature.
How to deal with vulnerabilities in plug-ins that cannot be updated or removed, but are critical to the functionality of the site
If the vulnerability is in a plugin that performs an important function of the site and cannot be updated or removed, the vulnerability can be fixed by examining the characteristics of the vulnerability and directly modifying the program to close the vulnerability.
If you directly edit the program of a plugin, the edited part may be lost in subsequent updates.
Vulnerability characteristics may be disclosed in the form of a PoC (Proof of Concept).
Examples
WordPress Plugin Slider REvolution 4.1.4 – Arbitrary File Download
In some cases, the programmers who found the vulnerability may have disclosed the patch program.
We will use this information to directly close the vulnerability.
However, this may require advanced security and programming skills, and we recommend that you consult with an experienced engineer.
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
