How to Test Plugins and Themes Areas Zero Day Exploit Validation

Hi itsfridaymoanin,

Thank for asking. I’ll try to explain details.

In case of vulnerability of old revslider, WP-ZEP can’t block the attack but “Important files” can. If you access /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php, then you will be blocked.

WP-ZEP will carefully block the action which is given to the /wp-admin/admin-{ajax|post}.php only for the logged in user. This means that it blocks “malicious accesses only to the back end services” in order not to block the “valid access to the services by your visitors”. The vulnerability of revslider provided its service not only to logged in user but also to the visitors. This is why WP-ZEP can’t block it.

In case of direct access to the wp-content/{plugins|themes}/*.php, this plugin can’t select request as mentioned above. And you should put specific .htaccess into your /wp-content/themes/ directory if your server is apache. Please check out this article.

After putting the proper .htaccess, then your access to the /wp-content/themes/twentyfifteen/index.php will be blocked.

If you’re interested in those topics, please check my articles at the development blog.

And you might be interested in the “Access Emulator” which I made. It can GET/POST the 13 pattern of accesses in order to test the functionalily of this plugin.

Thanks again.