CVE-2014-9735
NONE EPSS 99.5%
Published Jun 30, 201511y ago · Modified Jun 17, 20262w ago
Published Jun 30, 2015 11y ago
Last Modified Jun 17, 2026 2w ago
Description
The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1) upload and execute arbitrary files via an update_plugin action; (2) delete arbitrary sliders via a delete_slider action; and (3) create, (4) update, (5) import, or (6) export arbitrary sliders via unspecified vectors.
Threat Intelligence
EPSS Exploit Probability
99.5% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-264
Affected Products 2
| Vendor | Product | Version | Range |
|---|---|---|---|
| themepunch | showbiz_pro | * | ≤1.7.1 |
| themepunch | slider_revolution | * | ≤3.0.95 |
References 7
- seclists.org http://seclists.org/fulldisclosure/2014/Nov/78
- securityfocus.com http://www.securityfocus.com/bid/71306
- themepunch.com http://www.themepunch.com/products/old-revolution-slider-pre-4-2-vulnerabilty-explained/
- blog.sucuri.net https://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html
- plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/patch-for-revolution-slider/trunk/revsliderpatch.php
- whatisgon.wordpress.com https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/
- wpvulndb.com https://wpvulndb.com/vulnerabilities/7954
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.