CVE-2026-7542

Vulnerability

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This vulnerability stems from three design flaws: the plugin leaks a backend AJAX nonce to all authenticated users, the wordpress.create.image_from_url action bypasses administrator-only access controls, and the create_wordpress_image_from_url() function allows copying local filesystem files to the public /wp-content/uploads/revslider/ai/ directory using the url parameter. The MIME type check trusts an attacker-supplied content_type parameter for the destination file extension, and the source extension blacklist is incomplete [1].

Exploitation

An authenticated attacker with at least Subscriber-level access can exploit this vulnerability. The attacker first obtains a valid backend AJAX nonce (revslider_actions) which is leaked to all authenticated users. They then craft a request to the wordpress.create.image_from_url action, providing a local file path in the url parameter and a desired file extension in the content_type parameter. This triggers the plugin to copy the specified server file to the publicly accessible uploads directory.

Impact

Successful exploitation allows an attacker to read the contents of arbitrary server files that have non-blacklisted extensions. The copied files are placed in the publicly accessible /wp-content/uploads/revslider/ai/ directory, making their content readily available. This can lead to the disclosure of sensitive information such as configuration files, database credentials, or private keys, depending on the files accessible to the webserver process.

Mitigation

Slider Revolution versions up to and including 7.0.10 are affected. Version 7.0.15 has been released, which addresses this vulnerability. Users are strongly advised to update to the latest available version of Slider Revolution. No specific workarounds are mentioned in the available references [1].