CVE-2014-9735
published 2015-06-30CVE-2014-9735: The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly…
PriorityP182high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
75.26%
99.5th percentile
The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1) upload and execute arbitrary files via an update_plugin action; (2) delete arbitrary sliders via a delete_slider action; and (3) create, (4) update, (5) import, or (6) export arbitrary sliders via unspecified vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themepunch | showbiz_pro | <= 1.7.1 | — |
| themepunch | slider_revolution | <= 3.0.95 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/plugins/revslider/temp/update_extract/
- →Detect exploit attempts by looking for POST requests to /wp-admin/admin-ajax.php with multipart form-data containing both 'revslider_ajax_action' as the action field and 'update_plugin' as the client_action field, with a zip file upload. ↗
- →A successful exploitation response body contains the string 'Update in progress' — monitor HTTP 200 responses to admin-ajax.php for this string following a file upload POST. ↗
- →After upload, the attacker fetches the dropped PHP webshell from /wp-content/plugins/revslider/temp/update_extract/revslider/<random>.php — monitor GET requests to this path for web shell access. ↗
- →The Nuclei template confirms exploitation by matching the response body containing both 'Update in progress...' and 'wp-admin/admin.php?page=revslider&view=sliders' with HTTP 200.
- →Check for the presence of /wp-content/plugins/revslider/release_log.txt to fingerprint vulnerable plugin versions (below 3.0.96) prior to exploitation. ↗
- →The X-Requested-With: XMLHttpRequest header is used in the exploit POST to admin-ajax.php — correlate this header with the multipart upload of a zip file to the revslider AJAX endpoint.
- ·The uploaded PHP payload filename is randomized (4–8 random alpha characters) per exploit run, so static filename-based detection is insufficient; path-pattern matching on /wp-content/plugins/revslider/temp/update_extract/ is required. ↗
- ·If the filename inside the zip is 'revslider.php', it will be automatically executed but will break the plugin and sometimes WordPress — the Metasploit module deliberately avoids this name. ↗
- ·The AJAX endpoint returns a bare '0' body (HTTP 200) when the action 'revslider_ajax_action' is unknown or the plugin is deactivated — this response should NOT be treated as a successful exploit. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-86x3-cgp4-637q: The ThemePunch Slider Revolution (revslider) plugin before 3
ghsa_unreviewed·2022-05-17
CVE-2014-9735 [HIGH] GHSA-86x3-cgp4-637q: The ThemePunch Slider Revolution (revslider) plugin before 3
The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1) upload and execute arbitrary files via an update_plugin action; (2) delete arbitrary sliders via a delete_slider action; and (3) create, (4) update, (5) import, or (6) export arbitrary sliders via unspecified vectors.
VulnCheck
ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress Admin AJAX Security Bypass
vulncheck·2014·CVSS 7.5
CVE-2014-9735 [HIGH] ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress Admin AJAX Security Bypass
ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress Admin AJAX Security Bypass
The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1) upload and execute arbitrary files via an update_plugin action; (2) delete arbitrary sliders via a delete_slider action; and (3) create, (4) update, (5) import, or (6) export arbitrary sliders via unspecified vectors.
Affected: themepunch showbiz_pro
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are un
No detection rules found.
Exploit-DB
WordPress Plugin RevSlider 3.0.95 - Arbitrary File Upload / Execution (Metasploit)
exploitdb·2015-05-08
CVE-2014-9735 WordPress Plugin RevSlider 3.0.95 - Arbitrary File Upload / Execution (Metasploit)
WordPress Plugin RevSlider 3.0.95 - Arbitrary File Upload / Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Wordpress RevSlider File Upload and Execute Vulnerability',
'Description' => %q{
This module exploits an arbitrary PHP code upload in the WordPress ThemePunch
Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The
vulnerability allows for arbitrary file upload and remote code execution.
},
'Author' =>
[
'Simo Ben youssef', # Vulnerability discovery
'Tom Sellers ' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/']
Metasploit
WordPress RevSlider File Upload and Execute Vulnerability
metasploit
WordPress RevSlider File Upload and Execute Vulnerability
WordPress RevSlider File Upload and Execute Vulnerability
This module exploits an arbitrary PHP code upload vulnerability in the WordPress ThemePunch Slider Revolution (RevSlider) plugin, versions 3.0.95 and prior. The vulnerability allows for arbitrary file upload and remote code execution.
Nuclei
WordPress RevSlider - Remote Code Execution via File Upload
nuclei·CVSS 7.5
CVE-2014-9735 [HIGH] WordPress RevSlider - Remote Code Execution via File Upload
WordPress RevSlider - Remote Code Execution via File Upload
The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1) upload and execute arbitrary files via an update_plugin action; (2) delete arbitrary sliders via a delete_slider action; and (3) create, (4) update, (5) import, or (6) export arbitrary sliders via unspecified vectors.
Template:
id: CVE-2014-9735
info:
name: WordPress RevSlider - Remote Code Execution via File Upload
author: iamnoooob,pdresearch
severity: high
description: |
The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and ear
http://seclists.org/fulldisclosure/2014/Nov/78http://www.securityfocus.com/bid/71306http://www.themepunch.com/products/old-revolution-slider-pre-4-2-vulnerabilty-explained/https://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.htmlhttps://plugins.trac.wordpress.org/browser/patch-for-revolution-slider/trunk/revsliderpatch.phphttps://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/https://wpvulndb.com/vulnerabilities/7954http://seclists.org/fulldisclosure/2014/Nov/78http://www.securityfocus.com/bid/71306http://www.themepunch.com/products/old-revolution-slider-pre-4-2-vulnerabilty-explained/https://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.htmlhttps://plugins.trac.wordpress.org/browser/patch-for-revolution-slider/trunk/revsliderpatch.phphttps://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/https://wpvulndb.com/vulnerabilities/7954
2015-06-30
Published
Exploited in the wild