Critical WordPress Plugin Bug Helps Hackers Serve Malware on Over 100,000 Sites

Shaikh Rafia
Posted 2 years ago

Researchers claim that a popular WordPress plugin is being used by criminal hackers to hijack websites and redirect visitors to pages serving malware.

Vulnerabilities in WordPress plugin cause widespread damage:

Researchers from Sucuri, a security firm, reported on Monday that vulnerabilities affecting a WordPress plugin are being used by hackers to compromise websites and spread malware to users’ computers. According to this report, exploiting a vulnerability in Silder Revolution, over 100,000 WordPress sites have been compromised so far. The code script planted on targeted sites loads a JavaScript malware hosted on a .ru domain.

Slider Revolution is a popular WordPress premium plugin helping users to create responsive sliders. The plugin vulnerabilities were used widely by remote attackers to download files from affected servers. The flaw in a local file inclusion (LFI) affected version 4.1.4 and earlier, and while it was patched by the developer, a large number of sites remain affected.

Here is how the attack happens:

  • Cyber hackers scan the WordPress websites to check which ones have Slider Revolution installed.
  • Once the plugin is detected, the LFI bug is exploited to enable the hacker to download the wp-config-php file.
  • The aforementioned file contains important configuration data that helps the attacker to compromise the target website.
  • Once the config file is accessed, second Slider Revolution vulnerability is exploited. This is used to upload a malicious theme to the website injecting a second backdoor that redirects site’s visitor to

Slider Revolution is being used by over thousands of websites. However, issue becomes bigger as the plugin is wrapped into a number of WordPress theme packages making site owners completely oblivious of the fact that their sites are open to targeted attacks.

Check WordPress security:

In an effort to minimize impact on the larger internet, Google has already blacklisted over 11,000 websites affected by this soaksoak malware. However, WordPress websites admins can check the security of their sites by using free Sucuri scanner. The malware was first discovered by Sucuri in September, while it has been in works since February.

Complete report: Sucuri 


Share on Facebook Share on Twitter Share on Reddit