October 3, 2014 By Shane Schick 2 min read

WordPress has become one of the most popular platforms for setting up everything from blogs to corporate websites, but reports of a WordPress vulnerability may have some organizations worried about the security of their entire online presence.

A Sucuri researcher was among the first to describe the details of the WordPress vulnerability, which could allow hackers to gain access to the database of sites or blogs using a particular WordPress “theme” (the files or templates that provide the look and feel of what online users see). A plugin called Slider Revolution, used in many such themes, has a vulnerability whereby third parties could access, view or download a file from WordPress sites that use it. This is known as a Local File Inclusion (LFI) attack.

The WordPress vulnerability has been an issue for months, according to researchers at Trustwave, but it was only a few weeks ago that anyone posted data about it online. This resulted in hackers scanning for websites that could be exploited through an LFI attack, the firm said.

PC Advisor contacted ThemePunch, the developer of Slider Revolution that is owned by Germany-based Dajomo, and was told via email that automatic updates to the plugin may not have been turned on in some of the themes it is bundled in. The company said Slider Revolution was updated in February to address the WordPress vulnerability, but Sucuri said it was a mistake to patch the problem quietly without raising more awareness around it.

“This is an example of where things go terribly wrong,” Daniel Cid of Sucuri said.

According to Forbes, WordPress is used by close to one-fifth of all websites, making it a huge potential target for hackers who want to find a way into the databases of all sorts of organizations. The story pointed to a free online service called WPScan that can be used to keep track of potential threats as they emerge.

In the meantime, a marketplace for WordPress themes called Evato has created a comprehensive walk-through of how to best check for security problems with Slider Revolution and ensure the plugin and related themes are up-to-date. This particular vulnerability only affects versions older than 4.2., and the latest version of Slider Revolution, 4.6, was released on Aug. 25.

As organizations increasingly move away from custom-built websites and leverage standardized themes and components, tracking these kinds of threats needs to become more of a priority. WordPress makes it easy to get content online, but it shouldn’t make it any easier for hackers to see the information companies want to keep offline.

Image source: Flickr

More from

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today