Light Dark
October 3, 2014 By Shane Schick 2 min read

WordPress has become one of the most popular platforms for setting up everything from blogs to corporate websites, but reports of a WordPress vulnerability may have some organizations worried about the security of their entire online presence.

A Sucuri researcher was among the first to describe the details of the WordPress vulnerability, which could allow hackers to gain access to the database of sites or blogs using a particular WordPress “theme” (the files or templates that provide the look and feel of what online users see). A plugin called Slider Revolution, used in many such themes, has a vulnerability whereby third parties could access, view or download a file from WordPress sites that use it. This is known as a Local File Inclusion (LFI) attack.

The WordPress vulnerability has been an issue for months, according to researchers at Trustwave, but it was only a few weeks ago that anyone posted data about it online. This resulted in hackers scanning for websites that could be exploited through an LFI attack, the firm said.

PC Advisor contacted ThemePunch, the developer of Slider Revolution that is owned by Germany-based Dajomo, and was told via email that automatic updates to the plugin may not have been turned on in some of the themes it is bundled in. The company said Slider Revolution was updated in February to address the WordPress vulnerability, but Sucuri said it was a mistake to patch the problem quietly without raising more awareness around it.

“This is an example of where things go terribly wrong,” Daniel Cid of Sucuri said.

According to Forbes, WordPress is used by close to one-fifth of all websites, making it a huge potential target for hackers who want to find a way into the databases of all sorts of organizations. The story pointed to a free online service called WPScan that can be used to keep track of potential threats as they emerge.

In the meantime, a marketplace for WordPress themes called Evato has created a comprehensive walk-through of how to best check for security problems with Slider Revolution and ensure the plugin and related themes are up-to-date. This particular vulnerability only affects versions older than 4.2., and the latest version of Slider Revolution, 4.6, was released on Aug. 25.

As organizations increasingly move away from custom-built websites and leverage standardized themes and components, tracking these kinds of threats needs to become more of a priority. WordPress makes it easy to get content online, but it shouldn’t make it any easier for hackers to see the information companies want to keep offline.

Image source: Flickr

 |  |  | 
Shane Schick
Writer & Editor

More from

April 25, 2024

NIST’s role in the global tech race against AI

4 min read - Last year, the United States Secretary of Commerce announced that the National Institute of Standards and Technology (NIST) has been put in charge of launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology.However, recent budget cuts at NIST, along with a lack of strategy implementation, have called into question the agency’s ability to lead this critical effort. Ultimately, the success…

April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature