Impact
The Slider Revolution plugin for WordPress suffers from a CWE‑200 Information Exposure weakness that allows authenticated users, even those with only Subscriber privileges, to gain access to sensitive data. The plugin leaks a valid backend AJAX nonce (revslider_actions) to all logged‑in users via an admin_footer hook, thereby exposing the nonce to potential attackers. Additionally, the wordpress.create.image_from_url action is placed in a public allowlist, bypassing the administrator‑only restriction. The create_wordpress_image_from_url function accepts attacker‑controlled URL parameters and delegates to import_media(); the path_or_url_exists check incorrectly allows local filesystem paths with no restriction on remote URLs, enabling arbitrary server files to be copied to the public uploads directory. Finally, the MIME type check trusts an attacker‑supplied content_type string to determine the destination file extension, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). As a result, any authenticated user can trigger the plugin to copy non‑blacklisted files from the server into a publicly accessible URL, allowing the attacker to read the contents of those files.
Affected Systems
Affects the Revolution Slider plugin, Slider Revolution, and all WordPress sites that have the plugin installed in a version up to and including 7.0.10. Any authenticated user, even those with just Subscriber privileges, can exploit the vulnerability, so the impact spans all sites using the vulnerable version of the plugin.
Risk and Exploitability
The CVSS score of 6.5 indicates a moderate to high risk, and the EPSS score of <1% indicates a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack requires only user authentication and access to the plugin’s AJAX interface, which is available to all logged‑in users. Exploitation leads to the disclosure of arbitrary non‑blacklisted server files, but does not allow arbitrary code execution. Administrators should consider the vulnerability significant enough to warrant immediate remediation.
OpenCVE Enrichment