CVE-2014-9734
published 2015-06-30CVE-2014-9734: Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .…
PriorityP273medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.63%
97.2th percentile
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themepunch | slider_revolution | <= 4.1.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring GET requests to wp-admin/admin-ajax.php containing the 'action=revslider_show_image' parameter combined with directory traversal sequences in the 'img' parameter (e.g., '../'). ↗
- →Successful exploitation will return wp-config.php contents; look for the strings 'DB_NAME', 'DB_PASSWORD', and 'DB_USER' appearing together in the HTTP response body. ↗
- →Use the Google dork 'inurl:/wp-content/plugins/revslider' to identify potentially vulnerable WordPress installations exposed on the internet. ↗
- →The vulnerability is unauthenticated (no WordPress login required); any remote attacker can trigger the revslider_show_image AJAX action without authentication. ↗
- ·This CVE (CVE-2014-9734) may be a duplicate of CVE-2015-1579; both describe the same directory traversal via revslider_show_image in wp-admin/admin-ajax.php. Detection rules targeting either CVE cover the same attack vector. ↗
- ·The affected version ceiling is Slider Revolution Responsive <= 4.1.4; installations running versions above this threshold are not vulnerable to this specific path traversal. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rvjj-jxmx-c45g: Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2015-1579 [MEDIUM] CWE-22 GHSA-rvjj-jxmx-c45g: Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.
GHSA
GHSA-2mp6-6cqc-j393: Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4
ghsa_unreviewed·2022-05-17
CVE-2014-9734 [MEDIUM] CWE-22 GHSA-2mp6-6cqc-j393: Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.
VulnCheck
elegantthemes divi Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2015·CVSS 5.0
CVE-2015-1579 [MEDIUM] elegantthemes divi Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
elegantthemes divi Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.
Affected: elegantthemes divi
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
Exploit PoC: https://vulncheck.com/xdb/6ccdf94b0bd1; https://vulncheck.com/xdb/ad076f4bdf7d
VulnCheck
themepunch slider_revolution Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2014·CVSS 5.0
CVE-2014-9734 [MEDIUM] themepunch slider_revolution Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
themepunch slider_revolution Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.
Affected: themepunch slider_revolution
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html; https://www.wordfence.com/blog/2020/06/large-scale-attack-campaign-targets-database-credentials/
No detection rules found.
Exploit-DB
WordPress Plugin Slider REvolution 4.1.4 - Arbitrary File Download
exploitdb·2015-03-30
CVE-2015-1579 WordPress Plugin Slider REvolution 4.1.4 - Arbitrary File Download
WordPress Plugin Slider REvolution 4.1.4 - Arbitrary File Download
---
# Exploit Title : WordPress Slider Revolution Responsive <= 4.1.4 Arbitrary File Download vulnerability
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380
# Software Link : Premium plugin
# Dork Google: revslider.php "index of"
# Date : 2014-07-24
# Tested on : Windows 7 / Mozilla Firefox
Linux / Mozilla Firefox
######################
# Description
Wordpress Slider Revolution Responsive <= 4.1.4 suffers from Arbitrary File Download vulnerability
######################
# PoC
http://localhost/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
#####################
Discovered By : Claudio Viviani
Exploit-DB
Mulitple WordPress Themes - 'admin-ajax.php?img' Arbitrary File Download
exploitdb·2014-09-01
CVE-2015-1579 Mulitple WordPress Themes - 'admin-ajax.php?img' Arbitrary File Download
Mulitple WordPress Themes - 'admin-ajax.php?img' Arbitrary File Download
---
# WordPress CuckooTap Theme & eShop Arbitrary File Download
# Risk: High
# CWE number: CWE-200
# Author: Hugo Santiago
# Contact: [email protected]
# Date: 31/08/2014
# Vendor Homepage: http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: "Index of" +/wp-content/themes/cuckootap/
# WordPress IncredibleWP Theme Arbitrary File Download
# Vendor Homepage: http://freelancewp.com/wordpress-theme/incredible-wp/
# Google Dork: "Index of" +/wp-content/themes/IncredibleWP/
# WordPress Ultimatum Theme Arbitrary File Download
# Vendor Homepage: http://ultimatumtheme.com/ultimatum-themes/s
# Google Dork: "Index of" +/wp-content/themes/ul
Nuclei
WordPress Slider Revolution - Local File Disclosure
nuclei·CVSS 5.0
CVE-2015-1579 [MEDIUM] WordPress Slider Revolution - Local File Disclosure
WordPress Slider Revolution - Local File Disclosure
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.
Template:
id: CVE-2015-1579
info:
name: WordPress Slider Revolution - Local File Disclosure
author: pussycat0x
severity: medium
description: |
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.
impact: |
An atta
No writeups or analysis indexed.
http://marketblog.envato.com/news/affected-themes/http://marketblog.envato.com/news/plugin-vulnerability/http://packetstormsecurity.com/files/132366/WordPress-Revslider-4.2.2-XSS-Information-Disclosure.htmlhttp://www.exploit-db.com/exploits/34511https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.htmlhttps://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.htmlhttps://plugins.trac.wordpress.org/browser/patch-for-revolution-slider/trunk/revsliderpatch.phphttp://marketblog.envato.com/news/affected-themes/http://marketblog.envato.com/news/plugin-vulnerability/http://packetstormsecurity.com/files/132366/WordPress-Revslider-4.2.2-XSS-Information-Disclosure.htmlhttp://www.exploit-db.com/exploits/34511https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.htmlhttps://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.htmlhttps://plugins.trac.wordpress.org/browser/patch-for-revolution-slider/trunk/revsliderpatch.php
2015-06-30
Published
Exploited in the wild