Serious Vulnerability in WordPress Plugin sold via Envato Market

 149   Tweet
!

Note: This post hasn't been updated in over 2 years.

Yesterday we were made aware via the security blog Sucuri of a serious vulnerability in two popular WordPress plugins available for sale on CodeCanyon from the author ThemePunch: Slider Revolution and Showbiz Pro (WordPress).

This vulnerability allows remote attackers to access the servers of all sites using early versions of these plugins. The vulnerability exists for all versions of Slider Revolution earlier than version 4.2 (released in February 2014) and all versions of Showbiz Pro earlier than 1.5.3 (released in January 2014). The plugins were patched by their author in these releases.

These are highly popular plugins sold both directly on CodeCanyon and also indirectly through inclusion in many popular WordPress themes sold on ThemeForest. As a result, we expect numerous websites to potentially be at risk and are moving to help buyers secure their sites immediately.

What are we doing about it?

UPDATED AT 1:00PM AEST ON SEPTEMBER 9, 2014

We have put together a set of steps that affected buyers can take to secure their sites. These are below. Please read them carefully.

Because the plugins are so widely used in themes (particularly Slider Revolution), we have been compiling information to understand where it’s appearing and whether it’s been updated or not. We have been tracking this in our list of potentially affected themes , which is now split into 2 sections:

  • Themes that “may” have been affected at some point, but an update is now available
  • Themes that are affected and there is no update available today.

We found 338 themes with an older version of one of the plugins. We disabled those that were still active and contacted authors to get an update through asap.

As of today 139 (42%) of these themes have been updated and re-enabled. The remaining 194 will stay temporarily disabled until updated.

We have also made the patched plugin available for users who purchased any of the 194 affected themes with no current update available or an Envato Bundle with an affected theme.

We have and will continue to provide updates via this blog post, forums and social channels. We are also posting a global announcement across ThemeForest and CodeCanyon and have started emailing all affected buyers with instructions.

What do you need to do?

UPDATED AT 1:00PM AEST ON SEPTEMBER 9, 2014

Given the severity of the risk and the widespread nature of exposure, we strongly urge you to check if you are affected, and follow the recommended steps immediately.

As a general precaution, we encourage all users who have either purchased or sold an affected plugin or theme to update their server passwords asap. To maximize security, please follow password best practices.

Did you purchase Slider Revolution or Showbiz Pro (WordPress) from CodeCanyon?

  • Check the installed versions of the Slider Revolution and/or Showbiz Pro plugins. Details on how to check your plugin are provided below.
  • If you have a version of Slider Revolution plugin that is 4.2 or higher, or Showbiz Pro that is 1.5.3 or higher, your plugin install has already been patched. No further action is required.
  • If you are using an earlier version, you need to download the plugin again (to get a more recent version), and install it immediately. You can do so by visiting the item page while logged in. You will see a notice with a download link at the top right of the page:

Have you purchased a theme containing one of the plugins from ThemeForest?

  • Check the installed versions of the Slider Revolution and/or Showbiz Pro plugin(s). Details on how to check your plugin are provided below.
  • If your installed theme uses a version of Slider Revolution plugin that is 4.2 or higher, or Showbiz Pro that is 1.5.3 or higher, your plugin install has already been patched. No further action is required.
  • If your installed theme uses an earlier version of either plugin:
    • Check the list of Potentially Affected Themes
    • Determine which category your theme(s) falls into:
      • Themes already offering a secure update
      • Themes yet to offer a secure update
    • Update to the patched version of the plugin(s) immediately (instructions below)

Instructions for themes already offering a secure update

It is recommended that you make a backup of your site before trying this.

  • Download the theme again from the downloads page (to get a secure version)
  • Locate the downloaded zip file on your computer and unzip it
  • Locate the revslider and/or showbiz folders. If you are not able to locate the folders, please contact the theme author.
  • Connect to your server using an FTP client and go to the wp-content/plugins/ folder
  • Upload the revslider and/or showbiz folders to the wp-content/plugins/ folder, overwriting the existing files
  • Log into WordPress and go to the Plugins page
  • Locate the updated plugins in the list and confirm the version(s) are secure

Instructions for themes not yet offering a secure update

It is recommended that you make a backup of your site before trying this.

  • As a secure update of your theme is not yet available, you can get a free patched version of the plugin(s). This will be available to all users who purchased themes not yet offering a secure update.
  • While logged in, visit the item page for the plugin(s) your theme(s) contained:
  • Download the item by clicking on the “Download free update” button
  • Locate the downloaded zip file on your computer and unzip it
  • Connect to your server using an FTP client and go to the wp-content/plugins/ folder
  • Upload the revslider and/or showbiz folders to the wp-content/plugins/ folder, overwriting the existing files
  • Log into WordPress and go to the Plugins page
  • Locate the updated plugins in the list and confirm the version(s) are secure

Did you purchase a bundle or pack containing the Slider Revolution plugin, Showbiz Pro plugin and/or an affected theme?

  • The following bundles and packs included affected items:
    • Corporate Bundle
    • eCommerce Sampler Pack
    • WordPress Business Builder Pack
    • Digital Trends Bundle
    • Mobile Bundle
  • Plugins and themes contained within bundles and packs are not eligible for updates, so you need to install a patched version of the plugin(s) asap.

Instructions for items from bundles/packs

It is recommended that you make a backup of your site before trying this.

  • As a secure update of your item(s) is not yet available, you can get a free patched version of the plugin(s). This will be available to all users who purchased items not yet offering a secure update.
  • While logged in, visit the item page for the plugin(s) your theme(s) contained:
  • Download the item by clicking on the “Download free update” button
  • Locate the downloaded zip file on your computer and unzip it
  • Connect to your server using an FTP client and go to the wp-content/plugins/ folder
  • Upload the revslider and/or showbiz folders to the wp-content/plugins/ folder, overwriting the existing files
  • Log into WordPress and go to the Plugins page
  • Locate the updated plugins in the list and confirm the version(s) are secure

How to Check Plugin Versions

To check whether you have the updated version of Slider Revolution or Showbiz Pro, please follow these instructions:

  1. Log into the WordPress Admin area
  2. Go to the plugins screen
  3. Locate the Slider Revolution or Showbiz Pro plugin in the list
  4. Check the version number (as shown in the screenshot).

slider-revolution-version

If the version number of Slider Revolution plugin is 4.2 or higher, or Showbiz Pro is 1.5.3 or higher, you are using a version which contains the fix to the security flaw. If not, follow the instructions above to get an update and patch it immediately.

What are we doing to ensure this doesn’t happen again?

We take security seriously at Envato and are looking to revise how authors disseminate information about important updates for security or other critical issues.

In this instance the plugin’s author moved quickly to patch the plugin, and made efforts to let their plugin buyers know of the update. Unfortunately Envato only became aware of the issue, its nature and severity, when the Sucuri blog post was released. Consequently we weren’t able to ensure information was propagated out to affected users until now.

I’d like to apologize to any affected buyers on Envato Market as we should have better processes for authors to alert us, so we can assist them to get word out faster.

We will be releasing guidelines and processes to make sure issues like this get to us faster, and to help authors make sure their buyers are updated and patched as fast as possible.

We are also going to revisit how updates are handled for bundles and themes that include separate plugins.

More Information

If you have further questions about what you need to do, please contact support.

You can read more about the vulnerability on Sucuri’s blog post.

Once again, we’d like to apologize to all affected buyers and reiterate that we are working hard to get everyone patched copy of the affected plugins.

  • ThemePunch .

    From the ThemePunch Team, we would like to sincerely apologise to all our affected customers.

    Also we are very sorry for all the extra work and inconvenience we have caused.

    Thanks to the support of Envato for informing all our customers and rolling out our latest release to our loyal customers.

    Best Regards,

    ThemePunch

    • Owen Dessauer

      What about the Concrete5 version? Why does it say

      “Download not available
      Item removed by either staff or the author” ?

      Was it removed because it has the vulnerability?

    • Hi Owen,

      Which item are you looking at? This item only affects the WordPress plugin. There is no Concrete 5 version as far as I know, although some Concrete 5 themes may have adapted it or use the jQuery version (which is not affected).

    • Owen Dessauer

      Actually, there was a Concrete5 version. I bought it (it wasn’t part of a theme). But it was removed. Why? Because of the vulnerability?

    • vik

      Yes, Stephen, as Owen mentioned there was a concrete5 slider revolution add-on (by BeConcrete). I also bought concrete5 add-on of slider revolution (By BeConcrete) a year back. But that was never updated. And as Owen mentioned, the add-on has been removed from marketplace. Even I want to know if that add-on is vulnerable now? Should we keep it or remove it, since there’s no and never will be any update to it. Waiting for the add-on author’s reply as well. Nut I am not hoping I will get one.

      Thanks!

    • vik

      Hi Owen!

      I also bought concrete5 add-on of slider revolution (By BeConcrete) a year back. But that was never updated. And as you mentioned, the add-on has been removed from marketplace. Even I want to know if that add-on is vulnerable now? Should we keep it or remove it, since there’s no and never will be any update to it. Waiting for the add-on author’s reply as well. Nut I am not hoping I will get one.

      Thanks!

  • Hmm, bummer!

    I do hope this gets sorted for those affected, and lets hope for the least amount of damage possible. Good luck.

    • Natalia Manidis

      Thanks Alex!

  • Cesa BT

    What about to customers who they’ve bought an affected theme but theme creator doesn’t update? Because you know, when we’ve bought a theme we just buy included theme files not included scripts…

    • ThemePunch .

      Envato is preparing a free update so far i understand above:

      “If you purchased one of these bundles or packs:
      Consider removing or disabling the plugin(s) temporarily
      Contact Envato Support to receive a free update of the plugin(s)
      Go to http://support.market.envato.com
      Click on ‘Submit a Support Request’
      Select ‘Buying and General Support’ from the dropdown menu
      Fill in all your details and select ‘I need help with Revolution Slider or Showbiz Pro (WordPress)‘ from the ‘Lets Gets Specific’ dropdown menu”

      Thanks a lot,
      ThemePunch

  • Mo

    List of affected themes only shows wordpress themes. does this affect the stand-alone product, or magento versions? I have 2 themes I’ve purchased that use the revolution slider.

    • ThemePunch .

      Hi MO,

      no, no need to worry at Standalone jQuery version. Only the WordPress Version 4.14 or earlier was affected.

      thanks,

      ThemePunch

  • HowsTaht

    you need to send a warning email to all customers who purchased the plugin and a theme that includes that plugin!

    • ThemePunch .

      Hi,

      so far i know all Customers has been informed with every update we done since February (29 updates since the Bug fix!) and also Envato sent/send again a new warning mail.

      thanks a lot,

      ThemePunch

    • Mcguffin

      What a bunch of horse***t. You didn’t tell anyone about the exploit until 7 months later when you are outed by an independent security firm. If you had been upfront months ago many sites would have known the urgency and upgraded their plugin/theme. You should be banned from envato, but of course they could care less about code quality as long as it sells. I guess now the title of the king of bloat has been replaced by the backdoor king.

    • The Web Fix

      Only if they have clicked the button to get alerts on updates from that particular purchase. Major security releases should override that feature, but we never received anything. We have installed your free plug in the Punch Guider for future updates.

    • Natalia Manidis

      Thanks HowsThat. We will be contacting all buyers of affected plugins and themes via their Envato Market email address as soon as possible.

  • ThemePunch .

    Hi Folks,

    we just put together a Tool/Plugin which helps you to identify if any action, like an urgent update need to be done. If you are not sure, or if you wish to have a tool installed which checks daily the status of your installed ThemePunch plugins, please download and install the “Punch-Guider” DOWNLOAD HERE.

    This tool allows you to dynamically check the installed ThemePunch Plugins in your WordPress installation. If one of your plugin needs an update, recommended or critical, it will inform you about this fact. It does not update your plugins, but it helps you to keep an eye on the plugin status and informs you if there is any action that you need to take.

    Thanks a lot,

    ThemePunch

  • John Teague

    Envato and all developers of commercial software should make sure that each and every version released for distribution has passed a rigid security “checklist.” Vulnerabilities like this one can be caught using available tools like w3af or Portswigger, along with many others security scanning and proofing tools. It’s just good business and well worth the investment.

    • Natalia Manidis

      Thanks for the feedback, John. We’re always looking for ways to improve both our review processes and author guidelines. I’ll pass this along to the team as I’m certain we’re going to be having lots of discussions about how to help authors keep their work as safe and secure as possible.

    • John Teague

      Thank you Nataila. Nothing is foolproof, but I think we sometimes rely too heavily on LAMP and “best practices” to get us by. I’m not casting blame here, but I think some basic checks and balances would benefit everyone involved. Best to you and yours.

  • If there is anything that Envato can learn from this, it is that from this point forward they should prohibit theme authors to bundle plugins. I mean have you had a look at the list of affected themes??? It’s not even funny how many there are!

    Why can’t a plugin come as a recommended plugin? How difficult is it for a theme author to include a conditional statement like `if ( is_plugin_active( ‘plugin-directory/plugin-file.php’ ) ) {
    //plugin is activated
    }`

    If you want to release a theme on the official WP.org Themes Repo it is strictly prohibited to bundle plugins, now why would you think that is? To make it more difficult for theme-authors to release themes or perhaps simply for reasons of security?!

    Envato is ultimately responsible for this huge cock-up!

    • Natalia Manidis

      Thanks for the feedback, Piet. We understand there are some drawbacks to bundling plugins and this is definitely one of them. On the other hand, bundling allows theme authors more versatility in development of their themes, which many authors and buyers appreciate. That said, we plan to review our policies and guidelines related to this, so expect to hear more soon.

    • >> some drawbacks to bundling plugins
      Are you kidding me? No less than 3 days after I wrote this comment all you can come up with is this? WOW!
      And even adding a false positive as how it could possibly be good to bundle plugins with themes? You must really be living on another planet! That’s probably why it took you 3 full days to reply, time-difference between your planet and planet Earth…

    • Albo Best

      Stop bitching you butt hurt cunt. Go cry to your mom.

    • The Fox

      Yeah, stop the fucking whining and blaming ENVATO and being mean to reps on here.

      Envato Team … you rock, and bundling plugins is awesome.

      You can’t make everybody happy.

    • Ola Alex

      Hay Piet! ,, is it enough .. or need little bit more spanking on u r BuUt?

  • Congratulations on your decision !

    7 days ago I wrote a post of my misadventure “hacking with Revolution Slider” -> http://goo.gl/UKg9sB (fell free to remove that link), I contacted the developers involved to tell them there was a problem with their Theme and no answer…

  • Fabio

    My revolution slider plugin suddenly disappeared from my website?!? It isn’t in the menu or the plugin list? How do i fix this? The theme i’m using “Shoptan” has been discontinued.

    • ThemePunch .

      Hi,

      please contact us via our profile page, or via our ticket system, and we will help you with it !

      Thanks a lot,
      ThemePunch

  • J.Q. Isidore

    7 of my 9 domains have been effected severely. No email from envato on this insanely devastating issue:
    – domain dns of all .com have been messed up/deleted
    – e-mail servers no longer working.
    – No way of restoring this myself

    I had to find out by accident that this issue was going on; my web hosting service provider can hold me accountable for this and to come across the information here and what caused this dreadful situation took me 5 hours of troubleshooting and research! For just 1 website! And because the damage is beyond repair with a simple update I feel like crying my brains out.

    I am running a self employed business, you have any idea how big my client (income) lose is going to be here?! I feel totally fucked.

    But let’s keep calm and patch and update…

    • viewlike

      We all understand how dreadful a situation like this can be, however mistakes happen to the best developers. This only proves how important security can be and that we have lessons to take from this: to Themeforest to stop approving every piece of code without verifying it, to the developers to increase their security and to buyers to maintain their sites.

      For you, specifically, if you have customers with important sites, automatic backups are a simple way to solve the problem and if you have it setup properly it should take no more than a few minutes to restore.
      If you sun a self employed business you should know more than everybody how to protect it, don’t rely on others to do that for you.

    • Guest

      Contact your hosting company immediately and ask for a most recent backup. All hosting companies take regular backups every week or so.

    • Albo Best

      Contact your hosting company immediately and ask for a most recent backup. All hosting companies take regular backups every week or so

    • Studio Isidore

      Thanks @albobest:disqus and Guest for the idea. Obviously that part of the issue was done: contacting hosting company/back-ups

      @viewlike:disqus interesting point you make there about protecting my stuff and the (mandatory) ability to do so, being self-employed that is. The fact that I rely on Envato, my theme maker and the plugins related to it, allows me to run a committed expertise business in another fields. In our current time this is one of the best aspects: to be able to have someones expertise to help you be more expert in something else, world wide and international. No sea, no language or color that stands in between. Sadly there are also those that abuse this connectivity for less positive uses, from governments to the local milk man.
      Besides people make mistakes, heck I make them, but certain mistakes that involve larger groups of people than just yourself (meaning more then 1) should have the integrity and respect to be transparent about it. Allowing all parties involved to make a fair choice and decision on the matter at hand. We see how devastating it works in politics, in schools and.. here on Envato.

      Automatic backups is nice, just like the strong password advise and all. But lets be honest. That is not problem solving, that is pointing the finger at another direction. The real issue is far more complex and needs more than one update of the system.

    • viewlike

      I totally agree with the fact that sites like Envato gives you access to resources in a way that you wouldn’t have in the pass, but you need to take in consideration that everything and absolutely everything is possible to fail, it’s Murphy’s law: “Anything that can possibly go wrong, does.” and you need to be prepared for that.

      In what concerns to the developer, transparency in this case was not the way to go to avoid making things even worse by disclosing that thousands of potential hackable sites were out there, waiting to be attacked. They solved the problem months ago and if is an obligation for the sellers to keep the Plugins and Themes updated, it’s also an obligation to the buyer to maintain the code / sites.

      The network / internet security business is much more than a glitch on a WP Plugin and this is an issue that should be addressed very carefully by Themeforest. There are literally thousands of hackers around the world trying to exploit this type of errors.

      The backup-restore is actually the only solution you have to solve your problem now. The strong passwords were useless in this case due to the severe vulnerability faced. The real issue is that developers just need to step-up their game and produce proper code, validated, tested and ready for war.

      Cheers

  • I didn’t get any e-mail from Envato regarding this. This is just horrible support. I had to e-mail the theme developer (Gameleon – Tiguan) today about why his theme was removed and he told me what was up.

    Gameleon theme has bundled the plugin in a way that it can’t be disabled or deleted.

    Why would you delete the theme from the marketplace? You could’ve disabled the downloads and purchases and put a warning. So many themes are affected and no warning on the front of the site at all.

    • Natalia Manidis

      Hi Boringly, we’re currently in the process of emailing all buyers and have been updating this blog post as well as the forums on a regular basis. We’ve also made the patched plugin available for users who purchased affected themes with no current updated available (see instructions above). Hope this helps!

  • Enzo Picardi

    I didn’t get any e-mail from Envato regarding this. I’m very disappointed.

    All mine commercial webpages are out of service!!!

    I lost a lot of data!

    • well maybe a good point to start building real websites instead of depending on crappy Themeforest themes that add stuff you don’t need

    • The Fox

      Dude … move the fuck on. You don’t like ENVATO get the fuck out and stop crying and being a keyboard warrior.

      ENVATO, the themes and the whole environment is one of the best things ever happened since the creation of Internet.

      You can have vulnerabilities in any “real website” … stop whining , man the fuck up.

    • skylarkstudio

      Man, just stop bitching around. You have a point, bit there are other points to consider too.

  • Can you please remove Whisper from the list of affected themes? We’ve just updated the theme (and get approved). Thanks. http://themeforest.net/item/whisper-responsive-multipurpose-wordpress-theme/6546851

  • Patrick

    Any issue with it in Joomla or is it just the WordPress plugin specifically?

    • Natalia Manidis

      WordPress specifically.

  • Владислав Ахметвалиев

    I have Avada and Jupiter in my purchased themes, why can’t i download Revolution Slider for free as discribed in this post?

    • Natalia Manidis

      Because these themes are already offering a secure update. Please see “Instructions for themes already offering a secure update” above.

  • Shankar Banjara

    Envato and all developers of commercial software should make sure that
    each and every version released for distribution has passed a rigid
    security “checklist.”
    http://www.agricultureinnepal.com/

  • In most situations, authors are the first person to get to know about these bugs. In a situation like this, it is difficult for Authors to intimate all buyers about the bug in time. Envato has to consider to provide an option for Authors to notify buyers about bug and to update with the security patch.
    Say for example, in the submission form, there can be an option (in addition to “notify buyers about this update”) to select whether it is normal update or security update. In case of security update, a compulsary warning email must be sent to all buyers to update the theme/plugin. This way buyers are intimated atleast in a certain short time.

  • AOnet

    Where to find the “Download free update” link?

    Thanks.

    • Natalia Manidis

      The “Download free update” link is displayed on the item page for the plugin, however, it is only available to logged in users who purchased one of the affected themes for which there is currently no update.

  • Marcel Tomas

    Is this happening as well in Pretashop Revolution Slider on CodeCanyon? (v 4.2). In my case after the theme update revolution slider is hidden and don’t works. Any suggestion?

  • Chimp Studio

    From Chimp Studio!!
    First, I would love to Hale Envato for their great efforts to keep customers intact from any threat.
    Second, I do apologize to all those clients who got effected by one way or other.
    Third, We have updated all our themes and they all are now safe to use.
    Also,
    this thread and discussion is indeed the best way to update customers and authors about any potential threat.
    Good Job indeed!!

  • endoftheQ

    It took you four days after posting this before you send me an email alert? Unreal.

  • Digitalnat

    I have a 4 themes included with slide revolution, where I can download a higher revolution slider plugin free?

    • The Web Fix

      Re download your themes.. make sure you read this article to know if your themes have been updated. If not follow the instructions for the patch

  • Andrew2014

    As written by others, seems a crazy thing that we got alerted that late, we are lucky that our site is protected by Sucuri Team Firewall – so we got immediately alerted by them but when we tried to contact the developer team of the theme they didn’t even mind to answer us 🙂

    Seems security is something we may forget here.

  • My Premium responsive slider Version 4.5.9

    • The Web Fix

      4.6 is out

  • Katie Keith

    Thanks for the info, we have been through our client list and have contacted all our clients who use older versions of the Revolution Slider. I was very disappointed to see how lazy some theme authors are at adding the latest version to their themes – I see that several of the themes we have purchased since February 2014 (when Rev Slider 4.2 was released) were using older versions of the slider, so people’s sites are vulnerable even though they bought their themes after 4.2 was released!

  • viewlike

    This only proves that the way Themeforest prioritizes its products are showing up to be tricky. If on one side features are important for the product to sell, on the other this is the type of thing that can ruin a business, and Themeforest is unfortunately known for the mediocre quality of code it sells.

    A word to the ThemePunch team: things like this happen, and you are doing a good job solving the problem, we would have done the same to do not disclosure the glitch.

    In our opinion we need to invert our developing priorities:

    1. Quality & Security
    2. Usability
    3. Features

    Fortunately or unfortunately it’s not the first time that I see absolutely horrible pieces of code coming out of Themeforest, specifically with WordPress Themes, which are the ones I deal the most and which code goes against every WP rule: repeated code, included files, dozens of CSS’s and everything just to sell more. If all the features are good for the seller to make more money, that bunch of code is absolutely unnecessary.
    The cheap becomes expensive, we use to say back where I come from.

    Perhaps it’s a good idea to organize some contests or hackatons to put the products up to extensive testing and take the best out of it.

    • dawesi

      To be honest, they could have just continued selling old versions… they have gone beyond any other site here…

      This isn’t themeforest’s problem, but they provided a great solution.

    • viewlike

      Who could sell old verstions? Themeforest? Sorry but I didn’t understand.

      Of course it’s not only Themeforest’s problem, it’s also developer’s too, but the truth is that they are the ones that approve the code, they are responsible for what they sell.

  • The Web Fix

    Too little too late.. I hope the lesson was learned from this fiasco. 30 of our clients were affected along with our servers. Major digging uncovered it before we were notified. I would hope in the future Envato’s new security team releases vulnerabilities to their valued customers ahead of outbreaks.

    The folks at WordPress were even scratching their heads.. millions upon millions of sites on the Web are affected from this…

  • Wow sorry to all affected users. Its so annoying that people out there are using their god given brain power to destroy what others have put sweat and effort in building.

  • mevedo

    The theme “Bar + Grill: Restaurant & eCommerce Theme for WP” is in your list – but these theme is NOT disabled and also is NO update available!

    And what is with the themes, disabled weeks or month before? Did you check them also?

    Regards
    Torsten

    • Natalia Manidis

      Hi mevedo, the theme isn’t disabled because it’s already offering a secure update. For users who bought themes disabled/deleted weeks or months before, we’re offering the plugin(s) itself.

    • mevedo

      But on http://themeforest.net/item/bar-grill-restaurant-ecommerce-theme-for-wp/6608044 is last update 19 July 14 – all other theme, that have been updates have an newer date …
      And I have download the theme again – last changes of the installable theme ZIP is also 19 July 14 …
      So – where is there an update?

    • Pedro Gonzalez

      Hi Torsten,
      That theme is not disabled because it already contains an updated version (4.5.9) of the rev slider which is not affected by the security issue.

  • Rinneh

    How can a user find out if his/her website was compromised?

    For me no themepunch plugins anymore, had issues with essential grid and now with this….

  • skylarkstudio

    Can I just update the revolution slider itself without updating the whole theme?

    • Natalia Manidis

      Yes, please see “Instructions for themes already offering a secure update” above.

  • Bonny Clayton

    Is simply purchasing and installing the latest version of Slider Revolution a feasible solution? It seems to make more sense to me than backing up the site, downloading the theme zip file again, reinstalling the theme and then tweaking the site where necessary as a result of the reinstall. I am running flexform and right now it just reads [rev_slider header_show] where my slider used to be. Potentially stupid statement – I’m not even sure this is my issue, as this post is all about Slider Revolution and *my* plugin was name Revolution slider… ?????

    • Bonny Clayton

      Also, I can’t even see what version was installed…it’s completely gone.

    • Hi Bonny,

      I answered this above:

      The plugin seems to be referred to as both Slider Revolution and Revolution Slider in different places, which is confusing, but it is the same plugin.

      Purchasing the latest version of Slider Revolution is an option, but if you look at the instructions in the “Instructions for themes already offering a secure update” section above, we talk about finding the plugin folder in your theme zip and just uploading that (rather than actually updating the theme, which could cause you to lose customisations).

      Does Revolution Slider appear in the list of plugins in the WordPress admin area? If not, your host may have removed it for you.

  • Xander

    Looks like http://themeforest.net/item/arctic-architecture-creatives-wordpress-theme/6307436 isn’t on either list though it’s surely using the Rev Slider.

    • Hi Xander,

      Can I ask why you say that? I’ve download the theme and looked through and I can’t see the slider anywhere in there. Also I used a grep tool to search the contents of all files in the theme and it doesn’t appear at all.

  • Ruben

    I’m concerned, I lost my online store, have generated me and are generating losses in my business, and nobody is responsible, as has been well said head, wordpress scratch and ThemeForest is not blaming this big problem . This contrasted with the security people, painful.

  • Graemeww

    Will my site be protected until I do the update if I hide the site behind a coming soon page?

  • Myatu

    One curiosity is that I stumbled upon this merely by coincidence. Was an e-mail sent out to existing customers?

  • Graemeww

    Question. Until I do the update, can I protect my site by hiding it behind a “coming soon” page?

    • Just putting it behind a coming soon page won’t help. You need to deactivate the plugins.

  • taka

    Does this affect presatshop slider revolution as well?

  • Natalia Manidis

    Everyone, I’ve deleted some of the comments here because they contained offensive language and personal attacks. Our community guidelines (http://themeforest.net/community/community_guidelines) apply here as in our forums and other discussion areas. Feel free to re-post earlier comments minus the offensive language and please keep the guidelines in mind for future posts.

  • Omar Hamid

    I have a website using InCare theme, however, I cannot find either of the plugins under “plugins”. I do however see a tab titled “Revolution Slider”. What actions are recommended on my end?

    • If you see the tab with Revolution Slider, then the plugin must be installed and active, so it should be appearing in the list of plugins. If you can’t find it after checking again, then please try to contact the author of the InCare theme for advice.

      I can tell you that InCare doesn’t have Showbiz Pro, so it is only Revolution Slider you are looking for.

  • Natalia Manidis

    Hi Stephen, do you mean the Grandeur Responsive Multipurpose Theme? If so, this one has already been updated, so you should just be able to download the theme as per instructions above.

  • Natalia Manidis

    WordPress only, thanks Patrick.

  • Hi,

    I’m using the London Creative theme, and I don’t see any of the affected plugins in the list.
    Is this theme safe?

    I have a Fresh Slider tab, though. Is it related?

    Thanks!

    • Natalia Manidis

      Currently, we’re only aware of vulnerabilities in older versions of Slider Revolution and Showbiz Pro WordPress plugins.

  • tsit

    hello, i replaced the files in my theme and slider stopped working. MCE editor stopped working as well. Revslider files are not in plugins folder, but inside the theme.

    • Hi tsit,

      In that case, I think you need to contact the author of the theme to see if they can help you.

  • Jay

    Even though one apology for all the fuzz, it doesn’t change the fact of the amount of work and time which will have to be put to fix up all affected clients…

  • axeltechnologies

    I download update package for rev. slider (Swift -theme has not updated it automatically). After updating the rev. slider, some images are missing and plugin editor is totally blank, I can only see the white page. If I deactivate rev.slider plugin, the whole webpage is empty (except nav bar is showing).

    In swift -theme there are also other plugins which came with theme and causes problems because can’t update them. Not good…

    • Natalia Manidis

      Please contact the author of the theme you are using, axeltechnologies. They should be able to assist you.

  • Maaz M

    Hello Envato theme,

    I have got an important security email from Envato regarding Posh theme which I purchased earlier. They have instructed to update this 2 WP plugin, but am unable to see the DOWNLOAD FREE button in Showbiz pro plugin for WP? Where as am able to see the DOWNLOAD FREE UPDATE button in Slider revolution responsive.

    http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988

    Can you please email the plugin or let us know an alternate method soon. The Posh theme is also not available to download the updated theme version.

    Please reply soon as it will affect our client website

    Thanks,

    • Hi Maaz M,

      I believe this should be fixed now and Showbiz Pro should appear for you. Can you please try again and let me know if it doesn’t appear? Thanks.

  • Ben Morris

    I’ve had to patch 5 customer sites because of this issue. FYI I did this days ago and just today received an email to this post from Envato. The core issue I see is the fact these paid plugins are bundled in themes and bypass the update mechanism in WordPress. Keeping plugins updated within WordPress is ideal and customers can generally do it. Personally I would force bundled plugins to provide updates within WordPress.

    Also, a few people have mentioned their Revolution Slider plugin is gone. That is most likely your hosting company that has proactively deleted/disabled the plugin. I have seen this already on a few hosts.

  • andreaxy

    Hi Team,
    which password do you suggest to update? Cpanel passwords, database credentials or wp password?

    • As I said on a comment above:

      The vulnerability allows attackers to access any file on your server. The one highlighted as a likely target is wp-config.php. That typically has your SQL server’s host name, the database name, database user and database password, so I’d be changing those first.

      However you also need to consider what information is in any of the files on your server.

  • Fine PhotoGraphics

    Which “server passwords” do we need to change? FTP, email, hosting, SQL db??? Would you please be more specific? Thanks.

    • The vulnerability allows attackers to access any file on your server. The one highlighted as a likely target is wp-config.php. That typically has your SQL server’s host name, the database name, database user and database password, so I’d be changing those first.

      However you also need to consider what information is in any of the files on your server.

  • Jason McElwaine

    I’d encourage anyone with questions to post on this thread instead: http://codecanyon.net/forums/thread/important-serious-vulnerability-in-revolution-slider-showbiz-pro-wordpress-plugins/141396 – as you’re much more likely to get a faster answer over there since many more from the community view the official forums on a daily basis as opposed to the blog here.

  • Brandon

    Should the Plugin be deactivated or removed altogether to avoid any security vulnerability? My theme developer has not updated the theme, so I am curious to know if de-activating it will suffice

    • Hi Brandon,

      Based on my testing, deactivating the plugin is enough.

  • Natalia Manidis

    Sorry Stephen, I don’t quite understand. As far as I know, you should just be able to re-download the theme from your downloads page, find the relevant plugin file and then upload that only to your customized theme. Have you tried this already?

  • Hi Cara,
    Sorry, no idea – you better ask your host about this. It’s possible they’ve done something to block that plugin.

  • Nice suggestion, although make sure to apply the update as well! 🙂

    Note, everyone should have access to an update now, either through the theme or through the special link in the “Instructions for themes not yet offering a secure update” section above.

  • Hi Bonny,

    The plugin seems to be referred to as both Slider Revolution and Revolution Slider in different places, which is confusing, but it is the same plugin.

    Purchasing the latest version of Slider Revolution is an option, but if you look at the instructions in the “Instructions for themes already offering a secure update” section above, we talk about finding the plugin folder in your theme zip and just uploading that (rather than actually updating the theme, which could cause you to lose customisations).

  • If I already had the updated version of the Revolution Slider do I still need to reinstall the theme?

    • Natalia Manidis

      No Eric, if you’re using the patched version, you’re fine.

  • un vero casino, i miei utenti stanno pagando per colpa du un plugin…. davvero incredibile questa cosa …

  • TLC

    Thanks for the update and the email letting me know about the themes. I have updated my client’s site and everything is fine.

    It just so happened that you sent me a notice for a theme for my own website which I didn’t use. I checked and discovered that the theme I’m currently using suggested installing Revolution Slider, but did not include it with the theme package. I was able to get a copy of the new plug-in from the other theme I updated, and was able to update my site as well.

    You may want to consider notifying anyone who has a theme that even mentions Revolution Slider. Whether it’s incorporated or they “suggest” it, things still need to be updated.

    I appreciate your response to this situation.

  • Daniela

    Hello, I follow the instructions from the Envato’s email I receveid to update my Revolution Slider plugging and it didn’t work. Now I have a blank space in my home and I have no idea how to solve. =( Does any one could help me?

  • I only happened to stumble across this whilst looking to see if a few other legacy theme issues had been fixed (suburbs theme). I’ve still not received any email notification despite having ‘Send an email when an item I’ve purchased is updated’ checked in my account settings.

    Everyone makes mistakes and whilst bundled plugins being outside the update cycle may be a issue that needs to be looked into further, I’m a bit annoyed that until 10minutes ago my site was unsecure, when this issue has now been know about for sometime.

  • Angela

    Ipage warned me of this 2 weeks ago and disabled my revolution slider that came with wp residence. I immediately contacted the developer who told me I didn’t need to worry about it. Am I the only one who was contacted via host?

  • Jeff

    Hi!

    What if neither Revolution Slider or Showbiz appear in the plugin
    screen, but Revolution Slider does appear on the left side of the admin section, as part of the website?

    Thanks!

    – Jeff

    • Natalia Manidis

      Hi Jeff, please reach out to the author of the theme for assistance with this. Thanks!

  • If we have an older version of a possibly affected theme using the Revolution Slider, would our problem be solved if we just purchased and installed the newest version of the slider versus patching the old one? Do you think the newest version of the Slider would be compatible with an older theme version?

    • Natalia Manidis

      Hi Lindsey, you should either be able to download an updated version of the theme or a patched version of the plugin depending on your situation (i.e., you don’t need to purchase the newest version of the Slider). Compatibility issues, if any, should be raised with the author of the theme. Hope this helps!

    • Thanks so much Natalia! I appreciate the help!

  • Alphons Gerritsen

    Hi, on RealHomes, after uploading and overwriting the RevSlider files, the website shows blank! Disabling the plugin makes it reappear again. Any tips welcome, Thanks!

    • Natalia Manidis

      Please contact the author of your theme for assistance. Thank you.

  • Amy

    Quick question… If I had a theme that contained the plugin, but I never activated the plugin, am I at risk?

  • Wil

    I see this is dated September 5th, why am I receiving this 11 days later? This hit my inbox 43 minutes ago.

    Enviato, care to explain?

  • RB

    Like Jeff’s comments earlier , we too don’t see the Revolution Slider or Showbiz in the plugin section ,we see that on the widgets section.Should we act on this?

    We have Revolution Slider that came bundled with the Themefusion Avada 2.x .

    • Natalia Manidis

      Hi RB, please reach out to the author of the theme — they should be able to assist you with this. Thanks!

    • RB

      Hi Natalia, ..ok…Thank you!

  • Wojciech Wowra

    The link http://themeforest.net/downloads redirects to your homepage…

  • Alex Bosy

    I am a buyer of Avada theme. My site was severely attacked and I paid 100$ to recover it. May I ask for moneyback?

  • Wil

    My question wasn’t offensive, it asked why it took 11 days to email this information out to your “valued customers”.

    I’ll try again,

    Why did this hit my inbox 11 days after this was published?

  • Can you please tell me whether my site is affected even if I did not use the Revolution Slider plugin on my site? The plugin is activated but I haven’t used it anywhere.

    • ThemePunch .

      Please make sure that your Revolution Slider version is 4.2 or newer, or if you dont use the Slider anyway, please deactivate it. In case you write us an email via “Mail us here than we can take a look for you of course !

  • ThemePunch .

    You dont need to repurchase your theme. You can redownload it, or you can simple update only the Slider Revolution following the Article above. If you not sure how to do that, please Mail us here and we will take care for you !

  • Shana

    Hello, I have one of the affected themes, Brooklyn. I’ve followed the directions given us and my Revolution Plugin says it’s updated, but it’s not. The version is still 4.1.4, even though I downloaded a new version of Brooklyn and ftp’d the Revolution folder to my server; I also clicked on the “update” button on my plugins page, and clicked on the link to the Revolution slider via the Envato site. Nothing is working. What should I do?
    Thanks for your help.

  • vik

    Hi

    I also bought concrete5 add-on of revolution slider a year back. But that was never updated. And as Owen mentioned, the add-on has been removed from marketplace. Want to confirm if it’s safe to keep using the add-on on my concrete5 website? Or do we need to remove?

    Thanks!

  • LohasLifestyle

    Soak Soak… Seems that your piece of software makes too much trouble… running after updates is a full time job… nearly. How do you manage bundled theme + revslider with updates… I only see manual update possible, so you ask for money for 100 000 users now affected?

  • Dave Wilson

    Perhaps a code sniffing and code quality check should be implemented to ensure plugins on codecanyon are following best practices.

  • studioso

    Hello,
    I’ve purchased a while back a theme called “ultra” by WPExplorer. the theme is no longer available to download.
    When clicking on the above link to download a newer version of revslider I only see the 18$ purchase option (even though I’m logged in). what can you to help me, please?

  • Josephine Cameron

    THANK YOU for offering the plugin fix for those of us with bundled themes whose authors have not offered a security update!

  • Ocean PR

    I have the same issue. I purchased this theme (MaS – Multi-Purpose Multilingual Responsive Theme) but the item was already removed and there isn’t any updates. What should I do?

  • Dear all,

    My site is currently infected with the revslider from Pindol Theme and I am being stressed by the hosting page that if I don’t fix this issue within 24hrs they will close my account 🙁

    This happened on the 20th December when my email got blacklisted (still is at the moment) by 2 organisations.

    The theme Pindol and the revslier have been installed by the person who built my site about 2 years ago (who I cannot get in touch with) and I have no license whatsoever.

    I tried to update the PINDOL theme or the REVSLIDER (Revolution Slider) but there are no updates options/buttons in WP admin.

    My site is currently working but I cannot use the email address as we are not able to send.

    Can anyone please help me with this as my hosting will soon shut all the doors and I’m a self employed thus email + site are valuable allot!

    Thank you in advance!
    Sanom