This is why you don’t bundle plugins in WordPress themes

Yesterday, Sucuri published a very detailed document about a critical vulnerability in the Slider Revolution plugin. This is a vulnerability that’s about as bad as they can get. It allows access to files like wp-config.php and makes it fairly easy to compromise a website.

This wouldn’t be so bad if it wasn’t the case where the plugin author decided to not disclose the vulnerability and patch it without notifying their users:

The problem was fixed 29 updates back in 4.2 in February. We were told not to make the exploit public by several security companies so that the instructions of how to hack the slider will not appear on the web.

Right now, the exploit is being actively exploited and lots of websites are compromised because of it. But it gets worse. This plugin is bundled in a ton of themes sold on the internet, including some very popular themes on ThemeForest and other marketplaces. All of those sites are probably vulnerable to this exploit and can be compromised within seconds.

The good news is, there is a patch available. Users of the plugin can just update and the vulnerability will go away and their website will be safe again. There is only one problem. The themes that come with this plugin bundled, probably have no idea this vulnerability even exists and more important: They have no easy way to update the plugin. Yikes.

Bundling plugins is a bad practice

I dedicated a blog post to this subject before and this is a perfect example of why you should not bundle plugins with your theme. The lack of information and decision to not disclose the vulnerability to the public makes things even worse. There are hundreds, no probably thousands of websites with a massive vulnerability in them and most owners probably don’t even know about it.

Developers of themes, please take this advice to heart and let this example make it absolutely clear that bundling plugins in a theme is a really, really bad thing to do. There are better ways to achieve a similar user experience.

Make sure you are updated

Version 4.2 of the Slider Revolution plugin contains a fix for this vulnerability. If you are not sure your theme bundles this plugin, contact your theme developer and ask them. They are the only ones who can provide you with the right information and with an updated version of the plugin. Do this now, your site is at an immediate risk of getting compromised.

UPDATE: Envato has released an official statement on their blog: Serious Vulnerability in WordPress Plugin sold via Envato Market that gives a great insight in their side of the story and how affected users should get their issues resolved.