cbcvebase.
CVE-2015-1579
published 2015-02-11

CVE-2015-1579: Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img…

PriorityP271medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
22.05%
97.4th percentile
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
url/blog/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
path/wp-admin/admin-ajax.php
sigma
matchers:
- type: word
  part: body
  words:
  - "'DB_NAME'"
  - "'DB_PASSWORD'"
  - "'DB_USER'"
  condition: and
- type: status
  status:
  - 200
  • Detect exploitation attempts by monitoring GET requests to wp-admin/admin-ajax.php with the 'action=revslider_show_image' parameter combined with directory traversal sequences (../) in the 'img' parameter.
  • Successful exploitation is confirmed when the HTTP 200 response body contains WordPress database credential strings such as 'DB_NAME', 'DB_PASSWORD', and 'DB_USER' — indicating wp-config.php was disclosed.
  • Use the Google dork 'inurl:/wp-content/plugins/revslider' to identify potentially vulnerable WordPress installations exposed on the internet.
  • The vulnerability is unauthenticated (no WordPress login required); any remote attacker can trigger the traversal via a direct GET request to the admin-ajax.php endpoint.
  • ·This CVE may be a duplicate of CVE-2014-9734; the same vulnerable endpoint and traversal technique appear across multiple WordPress themes (Divi, CuckooTap, IncredibleWP, Ultimatum, Medicate, Centum, Avada, Striking, Beach Apollo) that bundle the RevSlider plugin, so detections should not be scoped to a single theme.
  • ·The affected plugin version is Slider Revolution Responsive <= 4.1.4; detections should be validated against this version ceiling to avoid false positives on patched installations.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.