Skip to main content

Slider Revolution EUVDEUVD-2026-41323

| CVE-2026-57678 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 audit@patchstack.com GHSA-9pp5-gx3c-vjc2
7.1
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-delivered reflected XSS needs no attacker auth (PR:N) but a victim click (UI:R); script runs cross-context (S:C) with limited C/I/A impact typical of XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:31 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemePunch Slider Revolution allows Reflected XSS.

This issue affects Slider Revolution: from 7.0.0 through 7.0.16.

AnalysisAI

Reflected cross-site scripting in ThemePunch Slider Revolution (versions 7.0.0 through 7.0.16), a widely deployed premium WordPress slider/visual-builder plugin, lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is marked Changed with low impact across confidentiality, integrity, and availability, successful exploitation can lead to session hijacking, defacement, or actions performed in the victim's authenticated context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with XSS payload in revslider parameter
Delivery
Deliver malicious link via phishing
Exploit
Victim clicks and payload reflects
Execution
Script executes in victim browser
Impact
Steal session or act as user

Vulnerability AssessmentAI

Exploitation Exploitation requires victim user interaction (CVSS UI:R): the target must open an attacker-crafted link/request carrying the XSS payload in a Slider Revolution front-end or admin parameter, so it cannot be triggered silently or fully automatically. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L): network-reachable, low complexity, and no privileges required, which raises exposure, but exploitation depends on user interaction (UI:R) - a victim must click a malicious link - which meaningfully limits mass, automated abuse. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the target WordPress site with a malicious JavaScript payload embedded in a Slider Revolution request parameter and delivers it to a victim (e.g., a logged-in administrator) via phishing email or a malicious link. When the victim clicks the link, the unsanitized parameter is reflected into the page and the script executes in their browser, allowing session/cookie theft or actions in their authenticated context. …
Remediation Update Slider Revolution to a release newer than 7.0.16 (a version above the affected range published by ThemePunch/Patchstack); an exact patched version number was not provided in the input, so verify the current fixed release via the vendor and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/revslider/vulnerability/wordpress-slider-revolution-plugin-7-0-16-cross-site-scripting-xss-vulnerability before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations for Slider Revolution deployments and current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy