As many as 100,000 web sites built with WordPress have been compromised through a vulnerability in a plugin named ‘RevSlider’ (aka ‘Revolution Slider’, aka ‘Slider Revolution’). Attackers used the vulnerability to add malicious code to the compromised sites, which resulted in those sites serving up the malicious code to site visitors.

Unfortunately, the RevSlider plugin is not free, and as such it typically can’t be updated using the standard WordPress update mechanism. Worse still, the plugin is often included in commercial themes, in which case the theme developer must obtain the updated plugin, create a new package for the theme that includes the new plugin, then make that package available to their customers. Because of these hurdles, many affected sites have not yet been updated.

If you manage a WordPress site that uses RevSlider, you should determine whether it was purchased directly or as part of a commercial theme, then obtain an appropriate update and install it as soon as possible.