'; } else{ echo ''; } echo 'Hillstone Networks'; } elseif ($_SERVER[HTTP_HOST] == "update1.huaantech.com.cn") { echo ''; echo 'huaantech'; } elseif ($_SERVER[HTTP_HOST] == "update1.dcnetworks.com.cn") { echo ''; echo 'dcnetworks'; } elseif ($_SERVER[HTTP_HOST] == "update1.w-ibeda.com") { if (false===strpos($_SERVER[REQUEST_URI],"/en/")) echo ''; else echo ''; echo 'w-ibeda'; } elseif ($_SERVER[HTTP_HOST] == "update1.hp-telecom.com") { echo ''; echo 'hp-telecom'; } elseif ($_SERVER[HTTP_HOST] == "update1.maipu.com") { echo ''; echo 'Maipu'; } elseif ($_SERVER[HTTP_HOST] == "update1.ncurity.com") { echo ''; echo 'Ncurity'; } elseif ($_SERVER[HTTP_HOST] == "update1.socusnetwork.com") { echo ''; echo 'Socusnetwork'; } else{ echo ''; echo 'Hillstone Networks'; } ?>
 
   
 

vul_app:wordpress_revslider_and_showbiz_access_ctrl_vul(Rule ID:1070210008)

Release Date2025/9/15

Rule NameCVE-2014-9735: WordPress Revslider Plugin and Showbiz Pro Plugin Access Control Vulnerability

Severity:high

CVE IDCVE-2014-9735

 

Descripiton

WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. WordPress is installed on a Web server that is either a part of an Internet hosting service or a network host in its own right. The ThemePunch Slider Revolution(revslider) plugin before 2.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for WordPress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1)upload and execute arbitrary files via an update_plugin action; (2)delete arbitrary sliders via a delete_slider action; and(3)create, (4)update, (5)import, or (6)export arbitrary sliders via unspecified vectors. This rule supports to defend the A6: Vulnerable and Outdated Components and A1: Broken Access Control of OWASP Top 10 - 2021.
Other reference:None

 

Solution

Update vendor patches.