An exploit in a WordPress plug-in has resulted in the infection of over 100,000 WordPress websites since Sunday.  And what is worse, because the plugin is bundled with many themes, many webmasters might be unaware that they use it and are not getting plugin update reminders for what has been termed as a Zero Day exploit.

The exploited plugin is called Slider Revolution, a popular slideshow plugin utilized by many WordPress theme designers also known as RevSlide. It is a premium plug-in, which means users paid for the use of the plugin. But incredibly, even though the exploit was known and fixed earlier this year, RevShare never announced that there was a problem with the plugin being exploited, leaving many webmasters unaware of the urgency required to fix it.  They also have a second plugin, ShowBiz Pro, that is also affected by the same exploit.

ThemePunch, the plugin creator, commented that they were instructed not to make the exploit public so that hacking instructions would not be easily available. While spammers have been using the back door to hack sites months ago, this major attack began on Sunday.

The exploit works simply by accessing a specific URL, which makes the wp-config.php file available to the hackers, who then have full database credentials to the site.

For RevSlide, you need to have version 4.2.0 or newer to be safe, which was released in February 2014.  For ShowBiz Pro, you need 1.5.3 or later, which was released in January 2014.

What makes this exploit worse, and harder to discover, is that this plug-in is also quietly bundled with many theme packages, so even if you don’t remember specifically installing this plug-in, it may have been used by the designer of your theme, and as such does not auto-update to the latest version and you will be unaware that there could be a possible exploit.  And even worse, many of these theme designers are still selling their WordPress themes with an older version of RevSlide, meaning even if you purchase the theme today, you can still be exploited.

Envato Market has a great updated list detailing all the themes they are aware of that are affected by this exploit.  It also details which themes have updated the included RevSlide and those which have not.

Google has also blocked many of these sites in their search results, in an attempt to limit the damage. So if your site is infected, potential visitors are going to see an alert that states the website contains malware and that they should not visit the website. If your site is infected, and Google has discovered it, there should also be an alert in your Google webmaster tools that your site contains malware.

Security site Sucuri, which was also the first site to detail this latest exploit, also offers a free scanner you can use to automatically check websites for malware, which can be handy for sites that have been exploited that have not yet been discovered by Google.

It is recommended that you update the plugin immediately.  Some are recommending to replace the swfobject.js and template-loader.php files to remove the exploit. But if your site has already been exploited, you will also need to change your database credentials as well, as the hackers will still have that information for your site to re-hack.

This also serves as a reminder that is always very important to keep WordPress updated, and not just WordPress itself but also all the plug-ins and themes you use. As is seen in this case, sometimes there are so-called Zero Day exploits that are fixed, yet aren’t publicized, so you may not know when there’s a severe vulnerability that you need to update to fix.