Description
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including raw social media API credentials: the Instagram OAuth token, Flickr API key, YouTube Data API key, and Facebook App ID, stored in any configured slider's settings.
Published: 2026-06-01
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Slider Revolution plugin for WordPress is vulnerable to sensitive information exposure in versions 7.0.0 through 7.0.14. The flaw is triggered via the 'slider.get.full' AJAX action, which allows authenticated users with Contributor or higher roles to retrieve raw social media API credentials—such as Instagram OAuth tokens, Flickr API keys, YouTube Data API keys, and Facebook App IDs—from slider settings. This directly compromises confidentiality of those credentials, potentially enabling attackers to access the associated external services.

Affected Systems

WordPress sites that have the Slider Revolution plugin installed in any version from 7.0.0 to 7.0.14 are affected. Site owners should check the installed plugin version and ensure it falls outside the vulnerable range.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires an attacker to first obtain an authenticated user account with Contributor-level access or higher. Once authenticated, the attacker can download sensitive credentials that may be used to compromise external social media accounts or other services. The overall risk remains moderate, and site owners with contributor accounts should apply the fix promptly.

Generated by OpenCVE AI on June 2, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Slider Revolution to version 7.0.15 or later to remove the vulnerable AJAX endpoint.
  • After upgrading, reset any exposed social media credentials in slider settings to prevent misuse.
  • Limit or remove Contributor and higher role access to trusted users only to reduce the attack surface.

Generated by OpenCVE AI on June 2, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Revolution Slider
Revolution Slider slider Revolution
Wordpress
Wordpress wordpress
Vendors & Products Revolution Slider
Revolution Slider slider Revolution
Wordpress
Wordpress wordpress

Tue, 02 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including raw social media API credentials: the Instagram OAuth token, Flickr API key, YouTube Data API key, and Facebook App ID, stored in any configured slider's settings.
Title Slider Revolution 7.0.0 - 7.0.14 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Revolution Slider Slider Revolution
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-01T23:28:27.185Z

Reserved: 2026-05-19T20:01:06.206Z

Link: CVE-2026-9048

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T00:16:49.907

Modified: 2026-06-02T00:16:49.907

Link: CVE-2026-9048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T02:15:06Z

Weaknesses