MEDIUM 6.5

CVE-2026-7542: Slider Revolution WordPress Plugin Information Disclosure Vulnerability

The Slider Revolution WordPress plugin (versions 7.0 to 7.0.10) contains a critical information disclosure flaw that allows low-privileged users to read sensitive server files. The vulnerability chains three design weaknesses: the plugin exposes AJAX security tokens to all logged-in users, it incorrectly allows unauthenticated access to a file-copying function, and it fails to properly validate and restrict which files can be copied to the public web directory. An attacker with a basic Subscriber account can exploit this to extract configuration files, database backups, credentials, keys, and logs—essentially any non-blacklisted file type on the server.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-18

NVD description (verbatim)

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions 7.0 to 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exploits three compounding flaws in the plugin's architecture. First, a valid revslider_actions AJAX nonce is leaked via the admin_footer hook to all authenticated users regardless of role. Second, the wordpress.create_image_from_url AJAX action is whitelisted in the $user_allowed array without proper capability checks, allowing Subscriber-level access. Third, the create_wordpress_image_from_url() function passes attacker-controlled url parameters to import_media(), which invokes path_or_url_exists()—a function that accepts both remote URLs and local filesystem paths via file_exists() and is_readable() checks. The resulting @copy() operation places files into /wp-content/uploads/revslider/ai/, a publicly accessible directory. The MIME type validation trusts the attacker-supplied content_type parameter for the destination file extension without verifying actual content, and the source-file extension blacklist is incomplete, failing to block .sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, and other sensitive types. This allows authenticated attackers to copy arbitrary server files to a public URL for direct exfiltration.

Business impact

This vulnerability poses a significant risk to WordPress site operators. An attacker with a basic Subscriber account—or anyone able to create one—can extract sensitive application secrets including database credentials in configuration files, private keys and certificates, database backups, API keys, and audit logs. The stolen data can facilitate further attacks such as database compromise, lateral movement across infrastructure, and supply chain attacks if the WordPress site is part of a larger ecosystem. The public nature of the exfiltration (files copied to /wp-content/uploads/) means no authentication or specialized tooling is required to retrieve stolen data, amplifying the exposure window.

Affected systems

WordPress installations running Slider Revolution plugin versions 7.0 through 7.0.10 are affected. The vulnerability requires that the plugin be both installed and active. Any WordPress site using this plugin version range with authenticated user registration enabled (even if registration is restricted) is at risk. Sites that allow user self-registration or have contributor/editor accounts are of particular concern.

Exploitability

Exploitability is high in real-world environments. The attack requires only valid WordPress credentials at the Subscriber level, which is the lowest-privileged authenticated role. No administrator intervention, special configuration, or complex social engineering is required—a legitimate low-privilege user or an attacker who has registered for an account can immediately exploit the flaw. The AJAX endpoint is accessible over the network without requiring special browser capabilities or bypassing CSRF protections (the nonce is already leaked). Proof-of-concept exploitation is straightforward and does not require advanced technical knowledge. No active exploitation in the wild is currently tracked, but the simplicity of the attack chain makes weaponization likely once details become widely known.

Remediation

Update Slider Revolution to a patched version released after 7.0.10. Site operators should immediately verify against the plugin vendor's official security advisory for the specific patched version. In addition to patching, administrators should audit access logs and the /wp-content/uploads/revslider/ai/ directory for evidence of exploitation, review user accounts for unauthorized registrations, and consider regenerating all server credentials (database passwords, API keys, certificates) to invalidate any exfiltrated secrets. Apply the principle of least privilege: disable user registration if not required, and audit the capabilities of existing users to ensure none have elevated permissions beyond necessity.

Patch guidance

Visit the Slider Revolution plugin's official repository or the vendor's security advisory page to identify the first patched version released after 7.0.10. Apply the update through the WordPress admin dashboard or via your hosting provider's plugin management interface. After patching, verify the plugin version in the WordPress admin to confirm successful deployment. Test the website's functionality post-patch to ensure no regressions. Consider using automated plugin update mechanisms and security scanning tools to catch similar issues early.

Detection guidance

Monitor WordPress access logs for POST requests to wp-admin/admin-ajax.php with the action parameter set to wordpress.create_image_from_url, especially those originating from low-privilege users. Audit the /wp-content/uploads/revslider/ai/ directory for unexpected files, particularly those with extensions matching sensitive configuration types (.sql, .log, .json, .conf, .yml, .pem, .key, etc.). Check for unusual file creation timestamps and access patterns. Implement file integrity monitoring (FIM) on critical configuration files (wp-config.php, .env, database backup locations). Review user registration logs for suspicious or unexpected accounts, particularly around the time of suspected exploitation. Use WordPress security plugins that monitor AJAX activity and provide alerting on suspicious parameter combinations.

Why prioritize this

Although the CVSS score is 6.5 (Medium), this vulnerability warrants urgent patching due to high real-world exploitability and significant business impact. The attack requires minimal privileges, no user interaction, and results in direct exfiltration of credentials and secrets that can unlock downstream attacks on databases, infrastructure, and related systems. Organizations running Slider Revolution should prioritize this update within their standard patch windows for medium-severity vulnerabilities affecting authentication or information disclosure.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects the requirement for low-level authenticated access (PR:L) and network attack vector (AV:N) with low complexity (AC:L). The score correctly identifies high confidentiality impact (C:H) with no integrity or availability impact. However, real-world risk is elevated by the ease of obtaining Subscriber credentials, the absence of known active exploitation mitigating factors, and the direct exposure of credentials that enable critical follow-on attacks. The Medium severity rating should not mislead: prioritize remediation based on your site's exposure and the sensitivity of secrets stored in configuration files.

Frequently asked questions

Can an attacker exploit this without a valid WordPress user account?

No. The vulnerability requires authentication to access the vulnerable AJAX endpoint and obtain the nonce. However, if the WordPress site allows user self-registration or has weak authentication controls, an attacker can easily create a low-privilege account to launch the exploit.

What types of files are at highest risk of exfiltration?

Configuration files (wp-config.php, .env, config.php), database backups, private keys and certificates, API keys, logs, and any file with an extension not in the plugin's blacklist. The incomplete blacklist means .sql, .log, .json, .bak, .yml, .pem, .key, and many other sensitive types can be copied. Files outside the web root are not directly accessible unless they are readable by the WordPress process.

How can I tell if my site has been compromised by this vulnerability?

Check the /wp-content/uploads/revslider/ai/ directory for unexpected files, review user registration logs for suspicious accounts created before the patch, and audit WordPress access logs for POST requests to wp-admin/admin-ajax.php with action=wordpress.create_image_from_url. Monitor database and server logs for signs of unauthorized access using exfiltrated credentials.

Do I need to patch immediately if I have disabled user registration?

Patching remains urgent. While disabling public registration reduces the attack surface, existing user accounts (editors, contributors, subscribers) can still exploit the vulnerability. Additionally, disabling registration does not prevent attackers from gaining access through compromised credentials or social engineering.

This analysis is based on vulnerability intelligence available as of the publication date. Exploit details, patch availability, and in-the-wild activity may change; consult the vendor's official security advisory and your WordPress plugin dashboard for the latest patched version numbers and security status. This information is provided for security professionals and site administrators to improve their defensive posture and is not an endorsement of any third-party tools or services. Always test patches in a staging environment before deploying to production. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).