Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Slider Revolution plugin for WordPress in versions 6.0.0-6.7.55 and 7.0.0-7.0.14 is vulnerable to unauthorized modification of data. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to deactivate any active plugin installed on the site.
AnalysisAI
Slider Revolution, a widely deployed WordPress visual slider plugin, exposes an unauthorized plugin-deactivation capability to any authenticated user holding a Contributor-level role or above, across two major release branches. The root cause is a missing authorization check (CWE-862) that fails to verify whether the requesting user holds the WordPress capability required to manage installed plugins. Although the CVSS score of 4.3 reflects the authentication prerequisite, real-world impact in multi-user or open-registration WordPress environments can significantly exceed the score: a malicious contributor could selectively deactivate security plugins - firewalls, login hardeners, or audit loggers - clearing the path for follow-on attacks. No active exploitation has been confirmed (no CISA KEV listing) and no public POC has been identified at time of analysis.
Technical ContextAI
Slider Revolution is a commercial WordPress plugin with a very large install base used to build responsive sliders and visual content blocks. The vulnerability lies in a CWE-862 (Missing Authorization) pattern: the plugin exposes an AJAX or REST action handler that performs plugin management (deactivation of other installed plugins) without calling WordPress's native capability check - typically current_user_can('activate_plugins') - before executing the action. WordPress's role-based access model assigns plugin management exclusively to Administrators; the absence of this gate allows the Contributor role (the lowest authenticated role permitted to publish content) to invoke administrative-level operations. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) confirms the attack is fully remote, requires no special conditions beyond a valid low-privilege session, and produces an integrity impact without confidentiality or availability consequences at the CVSS level. No CPE strings were provided in the input intelligence.
RemediationAI
Administrators should update the Slider Revolution plugin to the first release above the affected ranges - above 6.7.55 for 6.x installations, and above 7.0.14 for 7.x installations. A specific patched version number was not independently confirmed from the references provided; consult the vendor advisory at https://www.sliderrevolution.com/ and the Wordfence intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/3a036855-35e0-4efd-aa27-16189b3538e9?source=cve for exact patched release details before upgrading. As an immediate compensating control where patching is delayed, administrators should audit all Contributor and Editor accounts and remove or demote any untrusted users - note this may interrupt legitimate content publishing workflows. Disabling open user registration in WordPress (Settings > General > uncheck 'Anyone can register') closes the easiest path for attacker account creation but does not address already-existing untrusted accounts. These controls reduce exposure but do not eliminate the vulnerability.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33850
GHSA-fp2m-xc58-36fx