Business

Serious Vulnerability in WordPress Plugin sold via Envato Market

Yesterday we were made aware via the security blog Sucuri of a serious vulnerability in two popular WordPress plugins available for sale on CodeCanyon from the author ThemePunch: Slider Revolution and Showbiz Pro (WordPress).

This vulnerability allows remote attackers to access the servers of all sites using early versions of these plugins. The vulnerability exists for all versions of Slider Revolution earlier than version 4.2 (released in February 2014) and all versions of Showbiz Pro earlier than 1.5.3 (released in January 2014). The plugins were patched by their author in these releases.

These are highly popular plugins sold both directly on CodeCanyon and also indirectly through inclusion in many popular WordPress themes sold on ThemeForest. As a result, we expect numerous websites to potentially be at risk and are moving to help buyers secure their sites immediately.

What are we doing about it?

UPDATED AT 1:00PM AEST ON SEPTEMBER 9, 2014

We have put together a set of steps that affected buyers can take to secure their sites. These are below. Please read them carefully.

Because the plugins are so widely used in themes (particularly Slider Revolution), we have been compiling information to understand where it’s appearing and whether it’s been updated or not. We have been tracking this in our list of potentially affected themes , which is now split into 2 sections:

  • Themes that “may” have been affected at some point, but an update is now available
  • Themes that are affected and there is no update available today.

We found 338 themes with an older version of one of the plugins. We disabled those that were still active and contacted authors to get an update through asap.

As of today 139 (42%) of these themes have been updated and re-enabled. The remaining 194 will stay temporarily disabled until updated.

We have also made the patched plugin available for users who purchased any of the 194 affected themes with no current update available or an Envato Bundle with an affected theme.

We have and will continue to provide updates via this blog post, forums and social channels. We are also posting a global announcement across ThemeForest and CodeCanyon and have started emailing all affected buyers with instructions.

What do you need to do?

UPDATED AT 1:00PM AEST ON SEPTEMBER 9, 2014

Given the severity of the risk and the widespread nature of exposure, we strongly urge you to check if you are affected, and follow the recommended steps immediately.

As a general precaution, we encourage all users who have either purchased or sold an affected plugin or theme to update their server passwords asap. To maximize security, please follow password best practices.

Did you purchase Slider Revolution or Showbiz Pro (WordPress) from CodeCanyon?

  • Check the installed versions of the Slider Revolution and/or Showbiz Pro plugins. Details on how to check your plugin are provided below.
  • If you have a version of Slider Revolution plugin that is 4.2 or higher, or Showbiz Pro that is 1.5.3 or higher, your plugin install has already been patched. No further action is required.
  • If you are using an earlier version, you need to download the plugin again (to get a more recent version), and install it immediately. You can do so by visiting the item page while logged in. You will see a notice with a download link at the top right of the page:

Have you purchased a theme containing one of the plugins from ThemeForest?

  • Check the installed versions of the Slider Revolution and/or Showbiz Pro plugin(s). Details on how to check your plugin are provided below.
  • If your installed theme uses a version of Slider Revolution plugin that is 4.2 or higher, or Showbiz Pro that is 1.5.3 or higher, your plugin install has already been patched. No further action is required.
  • If your installed theme uses an earlier version of either plugin:
    • Check the list of Potentially Affected Themes
    • Determine which category your theme(s) falls into:
      • Themes already offering a secure update
      • Themes yet to offer a secure update
    • Update to the patched version of the plugin(s) immediately (instructions below)

Instructions for themes already offering a secure update

It is recommended that you make a backup of your site before trying this.

  • Download the theme again from the downloads page (to get a secure version)
  • Locate the downloaded zip file on your computer and unzip it
  • Locate the revslider and/or showbiz folders. If you are not able to locate the folders, please contact the theme author.
  • Connect to your server using an FTP client and go to the wp-content/plugins/ folder
  • Upload the revslider and/or showbiz folders to the wp-content/plugins/ folder, overwriting the existing files
  • Log into WordPress and go to the Plugins page
  • Locate the updated plugins in the list and confirm the version(s) are secure

Instructions for themes not yet offering a secure update

It is recommended that you make a backup of your site before trying this.

  • As a secure update of your theme is not yet available, you can get a free patched version of the plugin(s). This will be available to all users who purchased themes not yet offering a secure update.
  • While logged in, visit the item page for the plugin(s) your theme(s) contained:
  • Download the item by clicking on the “Download free update” button
  • Locate the downloaded zip file on your computer and unzip it
  • Connect to your server using an FTP client and go to the wp-content/plugins/ folder
  • Upload the revslider and/or showbiz folders to the wp-content/plugins/ folder, overwriting the existing files
  • Log into WordPress and go to the Plugins page
  • Locate the updated plugins in the list and confirm the version(s) are secure

Did you purchase a bundle or pack containing the Slider Revolution plugin, Showbiz Pro plugin and/or an affected theme?

  • The following bundles and packs included affected items:
    • Corporate Bundle
    • eCommerce Sampler Pack
    • WordPress Business Builder Pack
    • Digital Trends Bundle
    • Mobile Bundle
  • Plugins and themes contained within bundles and packs are not eligible for updates, so you need to install a patched version of the plugin(s) asap.

Instructions for items from bundles/packs

It is recommended that you make a backup of your site before trying this.

  • As a secure update of your item(s) is not yet available, you can get a free patched version of the plugin(s). This will be available to all users who purchased items not yet offering a secure update.
  • While logged in, visit the item page for the plugin(s) your theme(s) contained:
  • Download the item by clicking on the “Download free update” button
  • Locate the downloaded zip file on your computer and unzip it
  • Connect to your server using an FTP client and go to the wp-content/plugins/ folder
  • Upload the revslider and/or showbiz folders to the wp-content/plugins/ folder, overwriting the existing files
  • Log into WordPress and go to the Plugins page
  • Locate the updated plugins in the list and confirm the version(s) are secure

How to Check Plugin Versions

To check whether you have the updated version of Slider Revolution or Showbiz Pro, please follow these instructions:

  1. Log into the WordPress Admin area
  2. Go to the plugins screen
  3. Locate the Slider Revolution or Showbiz Pro plugin in the list
  4. Check the version number (as shown in the screenshot).

slider-revolution-version

If the version number of Slider Revolution plugin is 4.2 or higher, or Showbiz Pro is 1.5.3 or higher, you are using a version which contains the fix to the security flaw. If not, follow the instructions above to get an update and patch it immediately.

What are we doing to ensure this doesn’t happen again?

We take security seriously at Envato and are looking to revise how authors disseminate information about important updates for security or other critical issues.

In this instance the plugin’s author moved quickly to patch the plugin, and made efforts to let their plugin buyers know of the update. Unfortunately Envato only became aware of the issue, its nature and severity, when the Sucuri blog post was released. Consequently we weren’t able to ensure information was propagated out to affected users until now.

I’d like to apologize to any affected buyers on Envato Market as we should have better processes for authors to alert us, so we can assist them to get word out faster.

We will be releasing guidelines and processes to make sure issues like this get to us faster, and to help authors make sure their buyers are updated and patched as fast as possible.

We are also going to revisit how updates are handled for bundles and themes that include separate plugins.

More Information

If you have further questions about what you need to do, please contact support.

You can read more about the vulnerability on Sucuri’s blog post.

Once again, we’d like to apologize to all affected buyers and reiterate that we are working hard to get everyone patched copy of the affected plugins.