Skip to main content

Slider Revolution

12 CVEs product

Monthly

CVE-2026-7542 MEDIUM This Month

Server-side file exfiltration in the Slider Revolution WordPress plugin (≤7.0.10) allows any authenticated subscriber to copy arbitrary server files into the publicly accessible uploads directory. Three compounding design flaws enable this: a backend AJAX nonce is leaked to all authenticated users via the admin_footer hook, the image-creation action bypasses administrator-only access controls via an explicit allowlist entry, and the underlying file-copy function accepts local filesystem paths without restriction to HTTP/HTTPS URLs. No public exploit code or active exploitation has been identified at time of analysis, but the low privilege bar (subscriber-level account) and high confidentiality impact make this a meaningful risk for any WordPress site with open user registration.

Information Disclosure WordPress Slider Revolution
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-8107 MEDIUM This Month

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7.18 due to insufficient input sanitization and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Slider Revolution
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-4637 MEDIUM This Month

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.7.10 due to insufficient input sanitization and output escaping on the. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Slider Revolution
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2024-4581 MEDIUM This Month

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Add Layer widget in all versions up to, and including, 6.7.11 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Slider Revolution
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2024-4092 MEDIUM This Month

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmltag’ parameter in all versions up to, and including, 6.7.7 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Slider Revolution
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2023-6528 HIGH POC THREAT Act Now

The Slider Revolution WordPress plugin before 6.6.19 does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 15.8%.

Deserialization WordPress RCE Slider Revolution
NVD WPScan
CVSS 3.1
8.8
EPSS
15.8%
CVE-2023-47784 HIGH This Week

Unrestricted Upload of File with Dangerous Type vulnerability in ThemePunch OHG Slider Revolution.6.15. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Slider Revolution
NVD
CVSS 3.1
8.4
EPSS
0.2%
CVE-2023-47772 MEDIUM This Month

Contributor+ Stored Cross-Site Scripting (XSS) vulnerability in Slider Revolution <= 6.6.14. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Slider Revolution
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-2359 HIGH POC This Week

The Slider Revolution WordPress plugin through 6.6.12 does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Code Injection WordPress Slider Revolution
NVD WPScan
CVSS 3.1
8.8
EPSS
2.5%
CVE-2015-5151 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the Slider Revolution (revslider) plugin 4.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the client_action parameter. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS WordPress PHP Slider Revolution
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2014-9735 HIGH POC THREAT Act Now

The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 82.7%.

WordPress Privilege Escalation Showbiz Pro Slider Revolution
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
82.7%
Threat
5.5
CVE-2014-9734 MEDIUM POC This Month

Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal WordPress PHP Slider Revolution
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
5.2%
EPSS 0% CVSS 6.5
MEDIUM This Month

Server-side file exfiltration in the Slider Revolution WordPress plugin (≤7.0.10) allows any authenticated subscriber to copy arbitrary server files into the publicly accessible uploads directory. Three compounding design flaws enable this: a backend AJAX nonce is leaked to all authenticated users via the admin_footer hook, the image-creation action bypasses administrator-only access controls via an explicit allowlist entry, and the underlying file-copy function accepts local filesystem paths without restriction to HTTP/HTTPS URLs. No public exploit code or active exploitation has been identified at time of analysis, but the low privilege bar (subscriber-level account) and high confidentiality impact make this a meaningful risk for any WordPress site with open user registration.

Information Disclosure WordPress Slider Revolution
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7.18 due to insufficient input sanitization and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Slider Revolution
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.7.10 due to insufficient input sanitization and output escaping on the. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Slider Revolution
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Add Layer widget in all versions up to, and including, 6.7.11 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Slider Revolution
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmltag’ parameter in all versions up to, and including, 6.7.7 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Slider Revolution
NVD
EPSS 16% CVSS 8.8
HIGH POC THREAT Act Now

The Slider Revolution WordPress plugin before 6.6.19 does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 15.8%.

Deserialization WordPress RCE +1
NVD WPScan
EPSS 0% CVSS 8.4
HIGH This Week

Unrestricted Upload of File with Dangerous Type vulnerability in ThemePunch OHG Slider Revolution.6.15. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Slider Revolution
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Contributor+ Stored Cross-Site Scripting (XSS) vulnerability in Slider Revolution <= 6.6.14. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Slider Revolution
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

The Slider Revolution WordPress plugin through 6.6.12 does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Code Injection +2
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the Slider Revolution (revslider) plugin 4.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the client_action parameter. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS WordPress PHP +1
NVD
EPSS 83% 5.5 CVSS 7.5
HIGH POC THREAT Act Now

The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 82.7%.

WordPress Privilege Escalation Showbiz Pro +1
NVD Exploit-DB
EPSS 5% CVSS 5.0
MEDIUM POC This Month

Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal WordPress PHP +1
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy