CVE-2026-9048

Vulnerability

The Slider Revolution plugin for WordPress, specifically versions 7.0.0 through 7.0.14, contains a vulnerability in the slider.get.full AJAX Action. This vulnerability allows for the exposure of sensitive data stored within the plugin's settings.

Exploitation

An attacker with at least Contributor-level access to a WordPress site can exploit this vulnerability. By triggering the slider.get.full AJAX action, the attacker can extract sensitive information, including raw social media API credentials such as the Instagram OAuth token, Flickr API key, YouTube Data API key, and Facebook App ID, which are configured in any slider's settings.

Impact

Successful exploitation of this vulnerability allows an authenticated attacker to gain access to sensitive social media API credentials. This could lead to unauthorized access to associated social media accounts, potential misuse of API functionalities, and further compromise of user data or services connected to these credentials.

Mitigation

This vulnerability affects Slider Revolution versions 7.0.0 through 7.0.14. Users are advised to update to a patched version as soon as it becomes available. Specific patch details and release dates are not yet disclosed in the available references. The vendor website [1] provides general information about the plugin but does not contain specific mitigation details for this vulnerability.