Description
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions 7.0 to 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Slider Revolution plugin for WordPress suffers from a CWE‑200 Information Exposure weakness that allows authenticated users, even those with only Subscriber privileges, to gain access to sensitive data. The plugin leaks a valid backend AJAX nonce (revslider_actions) to all logged‑in users via an admin_footer hook, thereby exposing the nonce to potential attackers. Additionally, the wordpress.create.image_from_url action is placed in a public allowlist, bypassing the administrator‑only restriction. The create_wordpress_image_from_url function accepts attacker‑controlled URL parameters and delegates to import_media(); the path_or_url_exists check incorrectly allows local filesystem paths with no restriction on remote URLs, enabling arbitrary server files to be copied to the public uploads directory. Finally, the MIME type check trusts an attacker‑supplied content_type string to determine the destination file extension, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). As a result, any authenticated user can trigger the plugin to copy non‑blacklisted files from the server into a publicly accessible URL, allowing the attacker to read the contents of those files.

Affected Systems

Affects the Revolution Slider plugin, Slider Revolution, and all WordPress sites that have the plugin installed in a version up to and including 7.0.10. Any authenticated user, even those with just Subscriber privileges, can exploit the vulnerability, so the impact spans all sites using the vulnerable version of the plugin.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate to high risk, and the EPSS score of <1% indicates a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack requires only user authentication and access to the plugin’s AJAX interface, which is available to all logged‑in users. Exploitation leads to the disclosure of arbitrary non‑blacklisted server files, but does not allow arbitrary code execution. Administrators should consider the vulnerability significant enough to warrant immediate remediation.

Generated by OpenCVE AI on June 18, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Slider Revolution to the latest version, preferably 7.0.11 or later, which removes the vulnerable file‑copy logic and restricts nonce exposure.
  • Ensure the WordPress installation runs the latest core, plugin, and theme updates, and that only trusted administrators have the ability to call the image import feature, possibly by disabling the wordpress.create.image_from_url action for non‑admin roles.
  • Clean the /wp‑content/uploads/revslider/ai/ directory or any publicly accessible directories that may contain exposed files, and restrict file upload permissions to prevent future accidental leaks.

Generated by OpenCVE AI on June 18, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL. The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions 7.0 to 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.
Title Slider Revolution <= 7.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure Slider Revolution 7.0 - 7.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Revolution Slider
Revolution Slider slider Revolution
Wordpress
Wordpress wordpress
Vendors & Products Revolution Slider
Revolution Slider slider Revolution
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.
Title Slider Revolution <= 7.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Revolution Slider Slider Revolution
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T20:45:13.175Z

Reserved: 2026-04-30T18:43:22.295Z

Link: CVE-2026-7542

cve-icon Vulnrichment

Updated: 2026-06-09T16:03:42.549Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T09:16:30.880

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-7542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor