We received news today that the WordPress plugins Slider Revolution and Showbiz Pro have a a serious vulnerability which allows attackers to access the servers of all sites using older versions of the Slider Revolution and Showbiz Pro plugins by ThemePunch.
The vulnerability exists for all versions of Slider Revolution earlier than version 4.2 (released in February 2014) and all versions of Showbiz Pro (WordPress) earlier than 1.5.3 (released in January 2014).
They are both popular plugins and several people have been in contact with us already this morning in relation to this issue.
If you update your plugins regularly (and you should!) this may have already been patched. This is more likely to affect people who don’t personally look after WordPress or theme updates on their site and who have these plugins installed as part of a theme.
If you have admin access to your site and are confident doing so, we recommend you take the following steps to secure your sites immediately:
Step 1: Check Plugin Versions
- Log into the WordPress admin area
- Go to the plugins screen
- Locate Slider Revolution and/or Showbiz Pro plugin(s) in the list
- Check the version number(s)
- If you have a version of Revolution Slider plugin that is 4.2 or higher, or Showbiz Pro that is 1.5.3 or higher, your plugin has already been patched. No further action is required.
- If you are using an earlier version, you need to download a patched version of the plugin and install it immediately (instructions below).
- Please note that in some cases where these plugins were installed as part of a theme, the plugins may not show up on your plugin page. They will however be a listed in the menu bar on the left hand side of your admin area. If you click on the entry, on the resulting page you should be able to see the version numbers
Step 2: Install Patched Plugin (If Necessary)
- Make a backup of your site
- Download the theme again
- Locate the downloaded zip file on your computer and unzip it
- Locate the revslider and/or showbiz folders. If you are not able to locate the folders, please contact the theme author.
- Connect to your server using an FTP client and go to the wp-content/plugins/ folder
- Upload the revslider and/or showbiz folders to the wp-content/plugins/ folder, overwriting the existing files
- Log into WordPress and go to the Plugins page
- Locate the updated plugins in the list and confirm the version(s) are secure
- Update your server password following password best practices
If none of this makes sense to you or you’re not comfortable completing these updates, get in contact with the person who looks after your site and ask them to make the required updates for you as soon as possible.