2 days ago, Sucuri released information about a security exploit in the popular Slider Revolution framework that allows a local file incursion – basically if you are affected by the exploit anyone can download any file on your server. This is a serious vulnerability and we recommend that you update Slider Revolution immediately and look through this list of affected themes (almost 200!) that have Slider Revolution bundled in them.
The vulnerability lies in the way thatSlider Revolution handles a particular AJAX request. A visitor or bot can hit a certain URL with a filepath attached and download any file on your server. This is of particular concern for WordPress users as a hacker can easily download the wp-config.php file, gain access to your database credentials and then take complete control of your site. You can read more on Sucuri’s blog
This vulnerability brings up an important point about purchased themes – you never really know what you’re getting. Around 200 themes on the popular theme marketplace Themeforest were exploited and many of those theme authors have not updated their themes resulting in a very very large exploit. If you’re going to purchase a theme, we recommend having an expert review the theme and ensure that it doesn’t contain any of these (or many more) vulnerabilities.