cbcvebase.
CVE-2014-9735
published 2015-06-30

CVE-2014-9735: The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly…

PriorityP182high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
75.26%
99.5th percentile
The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1) upload and execute arbitrary files via an update_plugin action; (2) delete arbitrary sliders via a delete_slider action; and (3) create, (4) update, (5) import, or (6) export arbitrary sliders via unspecified vectors.

Affected

2 ranges
VendorProductVersion rangeFixed in
themepunchshowbiz_pro<= 1.7.1
themepunchslider_revolution<= 3.0.95

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/revslider/temp/update_extract/revslider/
path/wp-content/plugins/revslider/temp/update_extract/
path/wp-content/plugins/revslider/release_log.txt
commandaction=revslider_ajax_action&client_action=update_plugin
  • Detect exploit attempts by looking for POST requests to /wp-admin/admin-ajax.php with multipart form-data containing both 'revslider_ajax_action' as the action field and 'update_plugin' as the client_action field, with a zip file upload.
  • A successful exploitation response body contains the string 'Update in progress' — monitor HTTP 200 responses to admin-ajax.php for this string following a file upload POST.
  • After upload, the attacker fetches the dropped PHP webshell from /wp-content/plugins/revslider/temp/update_extract/revslider/<random>.php — monitor GET requests to this path for web shell access.
  • The Nuclei template confirms exploitation by matching the response body containing both 'Update in progress...' and 'wp-admin/admin.php?page=revslider&view=sliders' with HTTP 200.
  • Check for the presence of /wp-content/plugins/revslider/release_log.txt to fingerprint vulnerable plugin versions (below 3.0.96) prior to exploitation.
  • The X-Requested-With: XMLHttpRequest header is used in the exploit POST to admin-ajax.php — correlate this header with the multipart upload of a zip file to the revslider AJAX endpoint.
  • ·The uploaded PHP payload filename is randomized (4–8 random alpha characters) per exploit run, so static filename-based detection is insufficient; path-pattern matching on /wp-content/plugins/revslider/temp/update_extract/ is required.
  • ·If the filename inside the zip is 'revslider.php', it will be automatically executed but will break the plugin and sometimes WordPress — the Metasploit module deliberately avoids this name.
  • ·The AJAX endpoint returns a bare '0' body (HTTP 200) when the action 'revslider_ajax_action' is unknown or the plugin is deactivated — this response should NOT be treated as a successful exploit.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.