

Critical Security Vulnerability Found in WordPress Slider Revolution Plugin - aikah
http://wptavern.com/critical-security-vulnerability-found-in-wordpress-slider-revolution-plugin-immediate-update-advised

======
aikah
I found this story interesting because,

\- the exploit is so easy hundreds of websites will be affected(you can steal
DB credentials just by typing a url).

\- it's a combination of negligence from the developer of the plugin who didnt
disclose the exploit for 6 month(he just patched it) and the fact,like him a
lot of wordpress plugin developpers just dont know what they are doing.

the hack relies on a simple directory traversal attack :

[http://en.wikipedia.org/wiki/Directory_traversal_attack](http://en.wikipedia.org/wiki/Directory_traversal_attack)

Many pro developpers ,even here, use wordpress to host content for
clients.It's important they know what they risk with 3rd party plugins such as
a simple image slider.

------
krapp
As someone who both uses Wordpress and develops plugins (which I try my best
to make secure) this is both annoying and terrifying. I don't know how you
could have a plugin architecture in PHP like Wordpress has, and have any real
security without some constant diligence.

