[s]

Today being another day at work for SecureLayer7 to recover our client’s defaced website, and bang I think I hit upon a nasty vulnerability of a famous plugin.

Although we successfully patched the vulnerability and we fixed the undoing of the blacklisting. On further research I stumbled upon its usage over the internet and as it turns out large number of web users online are affected, putting them to greater risk if not mitigated with a proper patch or an update.

Following URL is vulnerable to update CSS.

Code:

wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

You can test your website by executing this python code

After I started digging for the root cause as to what is exactly triggering the bug. I figured that there is a class file called as revslider_admin.php in the Revslider Plugin folder, where you can find onAjaxAction() function which is actually triggering bug.



There is switch call where it is calling another function called as updateCaptionsContentData() as shown in the bellow image .



The updateCaptionsContentData() function is located into inc_php/revslider_operations.class.php , where is the actual cause of bug as you can see writeFile function which is writing content in the file.



You can patch this bug by installing Latest version of Revslide builder.


Reference : http://blog.securelayer7.net/wordpre...vulnerability/