MEDIUM 4.3

CVE-2026-9048: Slider Revolution Sensitive Information Exposure (API Credentials)

Slider Revolution, a popular WordPress plugin, contains a vulnerability that allows authenticated users with basic contributor privileges to view sensitive social media API credentials through a specific AJAX action. An attacker with contributor-level access or higher can call the 'slider.get.full' AJAX action to retrieve raw API tokens and keys—including Instagram OAuth tokens, Flickr API keys, YouTube Data API credentials, and Facebook App IDs—that have been configured within slider settings. This exposure affects plugin versions 7.0.0 through 7.0.14.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-863
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including raw social media API credentials: the Instagram OAuth token, Flickr API key, YouTube Data API key, and Facebook App ID, stored in any configured slider's settings.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9048 is an Insecure Direct Object Reference (IDOR) vulnerability mapped to CWE-863 (Incorrect Authorization) in Slider Revolution versions 7.0.0 to 7.0.14. The vulnerability exists in the 'slider.get.full' AJAX action, which fails to enforce adequate authorization checks or data filtering when returning slider configuration data. Authenticated attackers with Contributor role or above can enumerate slider IDs and extract sensitive configuration values, specifically third-party API credentials stored unencrypted or inadequately protected within the slider settings. The vulnerability requires network access and valid WordPress authentication but no additional user interaction.

Business impact

Exposure of social media API credentials creates multiple downstream risks. Compromised Instagram OAuth tokens, Flickr API keys, YouTube Data API credentials, and Facebook App IDs can be leveraged to impersonate your organization on those platforms, access user data without consent, post unauthorized content, or incur unexpected API costs. For organizations using Slider Revolution to manage branded content sliders, this represents a vector through which even low-privileged contributors—temporary staff, contractors, or compromised accounts—can exfiltrate credentials that may be shared across multiple company systems. The moderate CVSS score (4.3) reflects that exploitation requires authentication, but the ease of exploitation and breadth of affected platforms elevate practical risk.

Affected systems

Any WordPress site running Slider Revolution versions 7.0.0 through 7.0.14 with configured social media integrations is potentially affected. Sites with multiple contributors, guest authors, or shared content management workflows face heightened risk due to the lower authentication barrier. Sites that do not use the social media API integration features within Slider Revolution may not have exposed credentials, but this is difficult to audit retroactively without plugin review. No evidence suggests vulnerability in versions prior to 7.0.0 or after 7.0.14.

Exploitability

Exploitation requires valid WordPress authentication; therefore, this is not exploitable from the internet by an unauthenticated attacker. However, many WordPress sites maintain relatively open contributor roles—freelance writers, social media managers, temporary staff, or agency partners often receive contributor access. The AJAX action can be called directly with minimal complexity; no complex interaction or race conditions are required. Once credentials are extracted, they can be used immediately on third-party platforms. The barrier to exploitation is low for anyone with site access, making this a credible risk in environments with permissive user management or where contributor accounts have been compromised.

Remediation

Update Slider Revolution to version 7.0.15 or later as soon as possible. Verify the patch version against the vendor advisory to confirm the vulnerability has been addressed. Additionally, immediately audit all social media API credentials configured within Slider Revolution sliders and regenerate any tokens or keys that may have been exposed. Disable or rotate credentials in Instagram, Flickr, YouTube, and Facebook app settings. Review WordPress user access logs to identify any suspicious AJAX calls to 'slider.get.full'. As a preventive measure, regularly audit contributor-level access and implement principle of least privilege for social media management roles.

Patch guidance

Upgrade Slider Revolution to version 7.0.15 or later through the WordPress plugin dashboard or manually via the plugin repository. Before deploying, test the upgrade in a staging environment to confirm no custom slider configurations are disrupted. The patch should implement proper authorization checks and redact or exclude sensitive API credentials from the 'slider.get.full' AJAX response. Verify the specific patch version against the official Slider Revolution security advisory to confirm the fix has been applied. After patching, regenerate all exposed API credentials in their respective platforms.

Detection guidance

Monitor WordPress audit logs for repeated or unusual calls to 'slider.get.full' AJAX action from contributor or lower-privileged accounts, especially outside business hours or from unfamiliar IP addresses. Check Web Application Firewall (WAF) logs for suspicious AJAX patterns. Review slider configuration history in the plugin's revision log if available. Examine WordPress user access logs for accounts with contributor role that have no legitimate business need for that access. Search plugin options in the WordPress database (wp_options table and postmeta) for plaintext API credentials to confirm exposure. Use WordPress security scanning tools that flag hardcoded API keys in plugin settings.

Why prioritize this

Although the CVSS score is moderate (4.3) and exploitation requires authentication, this vulnerability warrants near-term patching because: (1) social media API credentials are high-value targets that enable account takeover, unauthorized posting, and data exfiltration; (2) exploitation is trivial once authenticated; (3) contributor roles are common in WordPress environments; (4) the plugin is popular, increasing the number of affected installations. Prioritize sites where Slider Revolution manages branded or business-critical social media content, and those with multiple contributors or open access policies.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM severity) reflects: Attack Vector = Network (site accessible online), Attack Complexity = Low (no special conditions needed), Privileges Required = Low (contributor role is basic), User Interaction = None (no user action needed), Scope = Unchanged, Confidentiality = Low (sensitive data exposed but limited in scope to configured credentials), Integrity = None, Availability = None. The score appropriately captures that authentication is required, limiting broad exploitability, but underscores the ease of exploitation for insiders and the high business value of exposed secrets. Organizations should treat this as higher-priority than the numeric score suggests due to the nature of the exposed data.

Frequently asked questions

How do I know if my Slider Revolution installation has configured social media API credentials at risk?

Log in to WordPress and navigate to the Slider Revolution plugin settings. Review each slider's configuration to determine if Instagram OAuth, Flickr API, YouTube Data API, or Facebook App credentials have been stored. If any social media integrations are configured, assume credentials may have been exposed if you are running versions 7.0.0–7.0.14 and your site has had contributors or other authenticated users. Regenerate those credentials immediately as a precaution.

Do I need to update if I don't use social media API integrations in Slider Revolution?

You should still patch as soon as possible. While the vulnerability specifically exposes social media API credentials, unpatched versions remain subject to the underlying authorization flaw. A future vulnerability could expose other sensitive data stored in slider settings. Additionally, you cannot be certain that no slider has been configured with APIs in the past, or that a compromised or rogue contributor didn't add such credentials without your knowledge.

Can unauthenticated attackers exploit this vulnerability?

No. The vulnerability requires valid WordPress authentication. However, this does not eliminate risk if your site permits account registration, uses weak default passwords, or has contributor accounts that are shared among team members or have been compromised via credential stuffing or phishing. Ensure strong WordPress user management practices.

What should I do with the API credentials once I've updated the plugin?

Regenerate all exposed API tokens and keys in their respective platforms immediately: revoke and refresh your Instagram OAuth token, regenerate your Flickr API key, rotate your YouTube Data API credentials, and reset your Facebook App ID if applicable. Test that sliders still function correctly with the new credentials. This breaks any potential abuse of exfiltrated credentials and ensures you have full control of those integrations going forward.

This analysis is provided for informational purposes and reflects publicly available information as of the publication date. SEC.co does not provide warranty regarding the completeness or accuracy of third-party vendor data, patch timelines, or exploit prevalence. Organizations should verify patch availability and compatibility with their specific plugin version and WordPress environment before deploying updates. This advisory does not constitute legal advice or guarantee against compromise. Always test patches in a non-production environment first. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).