Sucuri team released an article about the critical vulnerability found in Slider Revolution Plugin yesterday, and there was a huge discussion over the issue and the path followed by the ThemePunch (Developer of Slider Revolution Plugin ) team to handle it.
Slider Revolution Plugin is one of the most popular slider WordPress plugin which is being used by number of websites as a standalone plugin also it comes bundled with tons of WordPress themes including best selling themes like Avada.
ThemePunch team confirmed that the issue was patched in version 4.2 and moved on silently as a security update, which keeps the discussion open if they choose the correct path to address the issue.
Generally, developers comes in open and provides details to their user about any kind of possible consequences and the path taken to handle the issue by keeping them in loop, the best example is how WooThemes handled the vulnerability related to their customer’s credit cards.
Details of the Vulnerability
The vulnerability was disclosed via some underground forums, the issue can easily allow a remote attacker to download any file from the server. They can steal the database credentials, which then allows you to compromise the website via the database.
The path followed by the underground sites shows how someone can easily download the wp-config.php:
This type of vulnerability is known as a Local File Inclusion (LFI) attack. The attacker is able to access, review, download a local file on the server. This, in case you’re wondering is a very serious vulnerability that should have been addressed immediately.
As this plugin is bundled with many premium WordPress theme which is being used by thousands of WordPress users, it makes those sites vulnerable to possible attack. So, you need to update it immediately if you have not done it already.
Also, as the plugin comes as a standalone entity even if it comes bundled with a theme, deactivating the plugin also will do the tick for you till you are confident about safety of your site.
You can get more detail about the vulnerability here