The popular open-source WordPress blogging and content management system (CMS) is at risk from a vulnerable third-party plug-in that many users may not even realize they are running. According to security firm Sucuri, the vulnerability may have already exposed more than 100,000 WordPress Websites to exploitation via malware known as SoakSoak.
The actual vulnerability is in the RevSlider third-party plug-in, which is often bundled by WordPress theme developers in themes that WordPress site administrators can choose to install.
Sucuri first warned of vulnerabilities in the RevSlider plug-in in September, and an updated version of the plug-in has been available for months. It wasn’t until Dec. 14 that a large-scale attack that abuses the RevSlider vulnerabilities emerged. The attack leverages the RevSlider vulnerabilities to connect with the SoakSoak.ru domain to load a JavaScript malware.
“This plug-in [RevSlider] has multiple vulnerabilities, and one of them allows anyone to upload a theme to the vulnerable site,” Daniel Cid, co-founder and CTO of Sucuri, explained to eWEEK. “Attackers are leveraging it to upload a backdoor that gives them control of the Website.”
Cid added that the vulnerability is not really an application permission issue, but rather it is more of an issue about a lack of access control on the upload functions.
While some malware spreads with worm functionality that self-replicates, that’s not the case with the SoakSoak malware infection.
“It is spreading so quickly because this plug-in is integrated by many themes and most Webmasters are not even aware they have this plug-in in their sites,” Cid said. “We are not seeing a worm out of it, just a massive scanning looking for vulnerable hosts.”
What Should Be Done
The simple truth of the matter is that there are WordPress sites that are running out-of-date third-party plug-ins.
“The main issue is the lack of awareness from Webmasters that have been using an unpatched plug-in for months,” Cid said. “If they had updated or taken the proper security steps, like installing a Website firewall or hardened their sites, they would have been safe.”
The issue of out-of-date third-party plug-ins representing a risk to WordPress sites is not a new one. In July, Sucuri warned of potential malware infections that leveraged an out-of-date MailPoet plug-in for WordPress.
The open-source WordPress project has provided automatic updates for security fixes in the core WordPress application since the 3.7 version in October 2013. The automatic updates do not currently include automatically updating all of a user’s plug-ins.
Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, noted that those who are in charge of checking the security of WordPress already warn users about out-of-date plug-ins. The latest WordPress releases provide users with a list of plug-ins that need to be updated on users’ WordPress dashboard. Hansen added that it would be a good idea if WordPress gave users the option to automatically disable plug-ins that are known to be vulnerable, without risking the user’s sites.
“Given that plug-ins are the most vulnerable part of the ecosystem, it would be prudent to treat them as unknown and potentially dangerous software that can and should be disabled if the administrators are paranoid,” Hanson told eWEEK.
The idea of fully automated security updates is not one that sits well with Amichai Shulman, CTO of Imperva.
“Most organizations would not allow any functional change to go live untested in a lab, and without a proper change management process,” Shulman told eWEEK. “Why would someone give this up for a security fix?”
Shulman sees the deployment of Web Application Firewall (WAF) rules as being a key mechanism to minimize security risk. Some WAFs provide out-of-the-box protection against the specific type of vulnerability that led to the SoakSoak infection, which is an arbitrary file access through directory traversal issue, he added.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.