WordPress Slider Revolution Security Patch

There is a new Slider Revolution exploit that allows malware to be installed on your site, please patch ASAP! See Erwan’s comment that links to http://www.epnb.fr/correction-fix-patch-manuel-pour-corriger-la-faille-dans-le-plugin-revslider-de-wordpress/ for his excellent post and instructions on patching this new exploit. And also apply the patch detailed on this page, if you haven’t already.

If your site uses the WordPress plugin Slider Revolution version 4.1.4 or older, you need to patch it or update it ASAP! Follow the directions below to patch yours within minutes…

This wptavern article explains this serious security vulnerability in more detail, but the actual exploit is very easy, just open http://yourdomainhere.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php using your domain, and the wp-config.php source code will be downloaded! This includes your database login information, and if your MySQL server allows remote connections, then your site is theirs. 

Update: see Envato Market’s post about how you should be able to get an updated and patched Revolution Slider for freeOr you can use the instructions below to easily patch the vulnerability yourself in a minute and everything works exactly as it did before.

The below patch worked for a Revolution Slider ver 4.1.2 install that I just updated, though you should definitely make a backup in step 2) in case it doesn’t for you.

1) Verify the exploit works by loading http://yourdomain.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

2) backup and then edit the image_view.class.php file that may be in one of these folders:
wp-content/plugins/revslider/inc_php/framework/
wp-content/plugins/revslider/inc_php/
wp-content/themes/(your them name)/revslider/framework/inc_php/
wp-content/themes/(your them name)/revslider/inc_php/


3) Find the private function showImageFromGet function in the code and apply the bolded updates below, which includes adding a new showImageByID function and editing the showImageFromGet function.
private function showImageByID($fileID, $maxWidth=-1, $maxHeight=-1, $type=""){
  $fileID = intval($fileID);            
  if($fileID == 0) $this->throwError("image not found");          
  $img = wp_get_attachment_image_src( $fileID, 'thumb' );
  if(empty($img)) $this->throwError("image not found");
  $this->outputImage($img[0]);
  exit();
}

public function showImageFromGet(){
			
  //$imageFilename = UniteFunctionsRev::getGetVar("img");
  $imageID = intval(UniteFunctionsRev::getGetVar("img"));

  $maxWidth = UniteFunctionsRev::getGetVar("w",-1);
  $maxHeight = UniteFunctionsRev::getGetVar("h",-1);
  $type = UniteFunctionsRev::getGetVar("t","");
			
  //set effect
  $effect = UniteFunctionsRev::getGetVar("e");
  $effectArgument1 = UniteFunctionsRev::getGetVar("ea1");
			
  if(!empty($effect))
    $this->setEffect($effect,$effectArgument1);
			
  $this->showImageByID($imageID);
  //$this->showImage($imageFilename,$maxWidth,$maxHeight,$type);
}
4) Test the exploit link in step 1) and verify it no longer downloads your wp-config.php file, and test your Revolution Slider slideshows to verify they are still functioning correctly – if not, then restore the backup from step 2) and try again, or purchase the latest Revolution Slider for $18 from Code Canyon and perform their upgrade steps, or switch to another slider plugin and call off the revolution.

  • http://scratch99.com/ Stephen Cronin

    Hi John,

    If people got Slider Revolution via theme, and that theme doesn’t yet include a patched version, then they can actually get the updated version for free. Check out our blog post for more details.

    • Juanjo

      The problem is if you have an older version and have your site heavily customized, neither updating the plugin, nor the complete version will help you, cause it destroys the slider or the complete site. The only way is patching.

      Regards.

      • jb_wp

        I completely agree Juanjo! While I appreciated Stephen’s reply and added his blog link, in our case it was much easier to apply this simple patch on our clients’ sites and know that everything works exactly as it did before.

  • http://scratch99.com/ Stephen Cronin

    Hi John,

    If people got Slider Revolution via theme, and that theme doesn’t yet include a patched version, then they can actually get the updated version for free. Check out our blog post for more details.

  • 36above

    This was a fantastic help mate, prevented a lot of rebuilding slider customizations. thank you!

    • jb_wp

      You bet! Glad to hear it’s helping!

  • Steve

    Thanks so much for this – it’s a great help. The problem I have is that some of my websites have wordpress in a subdirectory ie.. /wordpress and when I add this subdirectory into the exploit string above (http://yourdomain.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php), it still downloads my .php file – any suggestions on how I could fix this – is there something extra I need to put into the patch code?

    • Steve

      Hi John – I should clarify this. I have done the update successfully on a few sites from October 13 – The problem is just still occuring with a couple of the older sites from July. They’re just so heavily customised, I can’t update. Your solution has been amazing – it has save me a great amount of work and heartache – thankyou so much for posting this. If there’s a chance you have any idea how I can fix the older version, please let me know. I’m happy to post the code for you if it’s easier..

    • Steve

      Ok – Apologies for wasting everyone’s time (including my own)! It seems that editing this through CPanel didn’t flow through to my site. I edited it through the Plugins Editor in WordPress (you need to drill down on files within a directory to see subdirectories below) and it’s all done. Thanks again John – Absolute lifesaver!

      • jb_wp

        Great, glad you worked it out and are all patched up!

  • http://trillamar.com Lucinda Brown

    Thank you John. I really appreciate the time you spent finding the solution and generously sharing this with the WordPress community. It worked for me too!

    • jb_wp

      Good to hear and glad it helped you too!

  • Erwan

    Thank you John for this great patch that really helped us. However if this patch is fixing the main security leak allowing access to wp_config.php, but is not securing the rev_slider module entirely. Other actions are subject to leak (such upload) and whole admin ajax actions should be secured and protected. http://seclists.org/fulldisclosure/2014/Nov/78 Here is another fix proposal in french and in english http://t.co/lZwVsH8mEo

    • jb_wp

      Thanks Erwan for your info on this new exploit and your patch for it! I’ve added a warning to the top of this post linking to your excellent patch.