Skip to main content

Slider Revolution CVE-2026-9050

| EUVDEUVD-2026-33850 MEDIUM
Missing Authorization (CWE-862)
2026-06-02 security@wordfence.com GHSA-fp2m-xc58-36fx
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 02, 2026 - 00:35 vuln.today
CVE Published
Jun 02, 2026 - 00:16 nvd
MEDIUM 4.3

DescriptionCVE.org

The Slider Revolution plugin for WordPress in versions 6.0.0-6.7.55 and 7.0.0-7.0.14 is vulnerable to unauthorized modification of data. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to deactivate any active plugin installed on the site.

AnalysisAI

Slider Revolution, a widely deployed WordPress visual slider plugin, exposes an unauthorized plugin-deactivation capability to any authenticated user holding a Contributor-level role or above, across two major release branches. The root cause is a missing authorization check (CWE-862) that fails to verify whether the requesting user holds the WordPress capability required to manage installed plugins. Although the CVSS score of 4.3 reflects the authentication prerequisite, real-world impact in multi-user or open-registration WordPress environments can significantly exceed the score: a malicious contributor could selectively deactivate security plugins - firewalls, login hardeners, or audit loggers - clearing the path for follow-on attacks. No active exploitation has been confirmed (no CISA KEV listing) and no public POC has been identified at time of analysis.

Technical ContextAI

Slider Revolution is a commercial WordPress plugin with a very large install base used to build responsive sliders and visual content blocks. The vulnerability lies in a CWE-862 (Missing Authorization) pattern: the plugin exposes an AJAX or REST action handler that performs plugin management (deactivation of other installed plugins) without calling WordPress's native capability check - typically current_user_can('activate_plugins') - before executing the action. WordPress's role-based access model assigns plugin management exclusively to Administrators; the absence of this gate allows the Contributor role (the lowest authenticated role permitted to publish content) to invoke administrative-level operations. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) confirms the attack is fully remote, requires no special conditions beyond a valid low-privilege session, and produces an integrity impact without confidentiality or availability consequences at the CVSS level. No CPE strings were provided in the input intelligence.

RemediationAI

Administrators should update the Slider Revolution plugin to the first release above the affected ranges - above 6.7.55 for 6.x installations, and above 7.0.14 for 7.x installations. A specific patched version number was not independently confirmed from the references provided; consult the vendor advisory at https://www.sliderrevolution.com/ and the Wordfence intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/3a036855-35e0-4efd-aa27-16189b3538e9?source=cve for exact patched release details before upgrading. As an immediate compensating control where patching is delayed, administrators should audit all Contributor and Editor accounts and remove or demote any untrusted users - note this may interrupt legitimate content publishing workflows. Disabling open user registration in WordPress (Settings > General > uncheck 'Anyone can register') closes the easiest path for attacker account creation but does not address already-existing untrusted accounts. These controls reduce exposure but do not eliminate the vulnerability.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-9050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy