Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (Wordfence) · only source for this CVE.
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.
AnalysisAI
Server-side file exfiltration in the Slider Revolution WordPress plugin (≤7.0.10) allows any authenticated subscriber to copy arbitrary server files into the publicly accessible uploads directory. Three compounding design flaws enable this: a backend AJAX nonce is leaked to all authenticated users via the admin_footer hook, the image-creation action bypasses administrator-only access controls via an explicit allowlist entry, and the underlying file-copy function accepts local filesystem paths without restriction to HTTP/HTTPS URLs. No public exploit code or active exploitation has been identified at time of analysis, but the low privilege bar (subscriber-level account) and high confidentiality impact make this a meaningful risk for any WordPress site with open user registration.
Technical ContextAI
Slider Revolution (CPE: cpe:2.3:a:revolution_slider:slider_revolution:*:*:*:*:*:*:*:*) is a widely deployed WordPress visual editor plugin. The vulnerability chain is rooted in CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and manifests across three interconnected code paths. First, the plugin emits the revslider_actions WordPress AJAX nonce to all authenticated users via the admin_footer hook - a hook that fires on every admin-context page load - rather than restricting nonce delivery to administrators only. Second, the plugin's authorization layer uses a $user_allowed array to define which AJAX actions low-privilege users may call; the wordpress.create.image_from_url action is explicitly listed there, overriding the plugin's own administrator-only default. Third, the create_wordpress_image_from_url() function passes the attacker-supplied url parameter directly into import_media(), where path_or_url_exists() resolves the input using PHP's file_exists() and is_readable() - native filesystem functions that accept absolute local paths such as /etc/passwd or /var/www/html/wp-config.php - without any restriction to remote HTTP/HTTPS schemes. The @copy() call then writes the resolved file into /wp-content/uploads/revslider/ai/, a publicly web-accessible directory. A secondary weakness compounds the exposure: the destination file extension is derived from the attacker-supplied content_type parameter rather than verified file content, and the source extension blacklist omits a wide range of sensitive types including .sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, and .db.
RemediationAI
Administrators should update Slider Revolution beyond version 7.0.10 immediately; consult the vendor changelog at https://www.sliderrevolution.com/changelog/ to confirm the first patched release, as a specific fixed version number was not identified in the available intelligence. If an update cannot be applied immediately, the most effective compensating control is to deactivate the Slider Revolution plugin entirely until a patch is confirmed - this eliminates all three attack vectors simultaneously with no partial-fix risk. If deactivation is not feasible, disabling WordPress user registration (Settings → General → uncheck 'Anyone can register') prevents unauthenticated actors from obtaining the subscriber-level account required for exploitation, though this does not protect against sites where subscriber accounts already exist or are issued through other means (WooCommerce, membership plugins). A WAF rule blocking AJAX POST requests to wp-admin/admin-ajax.php where action=revslider_actions and the request body contains wordpress.create.image_from_url for non-administrator sessions can serve as a network-layer mitigation, but rule accuracy depends on the WAF's ability to inspect POST body content and session context. Verify that /wp-content/uploads/revslider/ai/ does not contain unexpected files following any investigation period.
More in Slider Revolution
View allThe ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier
The Slider Revolution WordPress plugin before 6.6.19 does not prevent users with at least the Author role from unseriali
The Slider Revolution WordPress plugin through 6.6.12 does not check for valid image files upon import, leading to an ar
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote att
Unrestricted Upload of File with Dangerous Type vulnerability in ThemePunch OHG Slider Revolution.6.15. Rated high sever
Cross-site scripting (XSS) vulnerability in the Slider Revolution (revslider) plugin 4.2.2 for WordPress allows remote a
The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Add Layer widge
The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and inclu
The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmltag’ parameter in a
The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all vers
Contributor+ Stored Cross-Site Scripting (XSS) vulnerability in Slider Revolution <= 6.6.14. Rated medium severity (CVSS
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35376
GHSA-gjww-c2x7-4348