Description
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Slider Revolution plugin for WordPress suffers from a combination of design flaws that allow authenticated users with Subscriber level access or higher to gain sensitive information. The plugin exposes a valid backend AJAX nonce in the front‑end, bypasses the intended administrator‑only access control for the wordpress.create.image_from_url action, and accepts attacker‑controlled URLs that can be copied into the public uploads directory. By supplying a local filesystem path, an attacker can cause the plugin to copy sensitive files such as .sql, .conf, or .pem into a publicly accessible location, enabling direct download of those files.

Affected Systems

Affects the Revolution Slider plugin, Slider Revolution , and all WordPress sites that have the plugin installed in a version up to and including 7.0.10. Any authenticated user, even those with just Subscriber privileges, can exploit the vulnerability, so the impact spans all sites using the vulnerable version of the plugin.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate to high risk, and the absence of an EPSS score and KEV listing suggests the vulnerability is not yet widely exploited in the public domain. The attack requires only authentication and sufficient access to the plugin’s AJAX interface, which is available to all logged‑in users. Exploitation leads to the disclosure of arbitrary non‑blacklisted server files, but does not allow arbitrary code execution. Administrators should consider the vulnerability significant enough to warrant immediate remediation.

Generated by OpenCVE AI on June 9, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Slider Revolution to the latest version, preferably 7.0.11 or later, which removes the vulnerable file‑copy logic and restricts nonce exposure.
  • Ensure the WordPress installation runs the latest core, plugin, and theme updates, and that only trusted administrators have the ability to call the image import feature, possibly by disabling the wordpress.create.image_from_url action for non‑admin roles.
  • Clean the /wp‑content/uploads/revslider/ai/ directory or any publicly accessible directories that may contain exposed files, and restrict file upload permissions to prevent future accidental leaks.

Generated by OpenCVE AI on June 9, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Revolution Slider
Revolution Slider slider Revolution
Wordpress
Wordpress wordpress
Vendors & Products Revolution Slider
Revolution Slider slider Revolution
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.
Title Slider Revolution <= 7.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Revolution Slider Slider Revolution
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T16:03:46.657Z

Reserved: 2026-04-30T18:43:22.295Z

Link: CVE-2026-7542

cve-icon Vulnrichment

Updated: 2026-06-09T16:03:42.549Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T09:16:30.880

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-7542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T09:57:00Z

Weaknesses