Skip to main content

Slider Revolution CVE-2026-7542

| EUVDEUVD-2026-35376 MEDIUM
Information Exposure (CWE-200)
2026-06-09 Wordfence GHSA-gjww-c2x7-4348
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (Wordfence) · only source for this CVE.

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 09:17 vuln.today
CVE Published
Jun 09, 2026 - 07:49 nvd
MEDIUM 6.5

DescriptionCVE.org

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.

AnalysisAI

Server-side file exfiltration in the Slider Revolution WordPress plugin (≤7.0.10) allows any authenticated subscriber to copy arbitrary server files into the publicly accessible uploads directory. Three compounding design flaws enable this: a backend AJAX nonce is leaked to all authenticated users via the admin_footer hook, the image-creation action bypasses administrator-only access controls via an explicit allowlist entry, and the underlying file-copy function accepts local filesystem paths without restriction to HTTP/HTTPS URLs. No public exploit code or active exploitation has been identified at time of analysis, but the low privilege bar (subscriber-level account) and high confidentiality impact make this a meaningful risk for any WordPress site with open user registration.

Technical ContextAI

Slider Revolution (CPE: cpe:2.3:a:revolution_slider:slider_revolution:*:*:*:*:*:*:*:*) is a widely deployed WordPress visual editor plugin. The vulnerability chain is rooted in CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and manifests across three interconnected code paths. First, the plugin emits the revslider_actions WordPress AJAX nonce to all authenticated users via the admin_footer hook - a hook that fires on every admin-context page load - rather than restricting nonce delivery to administrators only. Second, the plugin's authorization layer uses a $user_allowed array to define which AJAX actions low-privilege users may call; the wordpress.create.image_from_url action is explicitly listed there, overriding the plugin's own administrator-only default. Third, the create_wordpress_image_from_url() function passes the attacker-supplied url parameter directly into import_media(), where path_or_url_exists() resolves the input using PHP's file_exists() and is_readable() - native filesystem functions that accept absolute local paths such as /etc/passwd or /var/www/html/wp-config.php - without any restriction to remote HTTP/HTTPS schemes. The @copy() call then writes the resolved file into /wp-content/uploads/revslider/ai/, a publicly web-accessible directory. A secondary weakness compounds the exposure: the destination file extension is derived from the attacker-supplied content_type parameter rather than verified file content, and the source extension blacklist omits a wide range of sensitive types including .sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, and .db.

RemediationAI

Administrators should update Slider Revolution beyond version 7.0.10 immediately; consult the vendor changelog at https://www.sliderrevolution.com/changelog/ to confirm the first patched release, as a specific fixed version number was not identified in the available intelligence. If an update cannot be applied immediately, the most effective compensating control is to deactivate the Slider Revolution plugin entirely until a patch is confirmed - this eliminates all three attack vectors simultaneously with no partial-fix risk. If deactivation is not feasible, disabling WordPress user registration (Settings → General → uncheck 'Anyone can register') prevents unauthenticated actors from obtaining the subscriber-level account required for exploitation, though this does not protect against sites where subscriber accounts already exist or are issued through other means (WooCommerce, membership plugins). A WAF rule blocking AJAX POST requests to wp-admin/admin-ajax.php where action=revslider_actions and the request body contains wordpress.create.image_from_url for non-administrator sessions can serve as a network-layer mitigation, but rule accuracy depends on the WAF's ability to inspect POST body content and session context. Verify that /wp-content/uploads/revslider/ai/ does not contain unexpected files following any investigation period.

CVE-2014-9735 HIGH POC
7.5 Jun 30

The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier

CVE-2023-6528 HIGH POC
8.8 Jan 08

The Slider Revolution WordPress plugin before 6.6.19 does not prevent users with at least the Author role from unseriali

CVE-2023-2359 HIGH POC
8.8 Jun 19

The Slider Revolution WordPress plugin through 6.6.12 does not check for valid image files upon import, leading to an ar

CVE-2014-9734 MEDIUM POC
5.0 Jun 30

Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote att

CVE-2023-47784 HIGH
8.4 Dec 20

Unrestricted Upload of File with Dangerous Type vulnerability in ThemePunch OHG Slider Revolution.6.15. Rated high sever

CVE-2015-5151 MEDIUM POC
4.3 Jun 30

Cross-site scripting (XSS) vulnerability in the Slider Revolution (revslider) plugin 4.2.2 for WordPress allows remote a

CVE-2024-4581 MEDIUM
6.4 Jun 04

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Add Layer widge

CVE-2024-4637 MEDIUM
6.4 Jun 04

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and inclu

CVE-2024-4092 MEDIUM
6.4 May 02

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmltag’ parameter in a

CVE-2024-8107 MEDIUM
5.4 Oct 01

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all vers

CVE-2023-47772 MEDIUM
5.4 Nov 20

Contributor+ Stored Cross-Site Scripting (XSS) vulnerability in Slider Revolution <= 6.6.14. Rated medium severity (CVSS

Share

CVE-2026-7542 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy