I know that WordPress 4.0 was released last night and the majority of the WordPress community is spending these next few days updating their websites and fixing any bugs and issues that arise. With that said I wanted to make everyone aware of a critical security vulnerability within the WordPress Slider Revolution plugin which is being exploited currently. The vulnerability allows a remote attacker to download any file from the server, such as your wp-config.php file which holds your database credentials. This then allows the hacker to compromise your website via your database.
ThemePunch, the makers of Slider Revolution, did patch this issue in version 4.2 of their plugin – however this only applies to those who purchased the plugin directly from them. The real issue lies in the way the plugin is wrapped into many different theme packages and unfortunately this means that webmasters would need to perform the updates manually on their own, or rely on the theme’s authors to release an updated theme package.
Daniel Cid is keeping track of possibly affected themes over on the Sucuri blog. Furthermore various hosting companies have created rules within Varnish and/or mod_security to attempt to block out such requests. Regardless if you are using the Slider Revolution plugin within your WordPress blog make sure to update it to the latest version.