Authenticated Arbitrary File Upload Vulnerability Patched in Slider Revolution 7 WordPress Plugin
A critical file upload vulnerability in the Slider Revolution 7 WordPress plugin has been patched, preventing potential remote code execution by authenticated attackers.
A critical authenticated arbitrary file upload vulnerability has been identified and patched in the Slider Revolution 7 WordPress plugin. The flaw, which was discovered and reported by researcher h0xilo through the Wordfence Bug Bounty Program, could allow authenticated attackers with subscriber-level access or higher to upload arbitrary files to a target site [Wordfence].
The vulnerability specifically affects the 7.0 major release of the plugin, which is estimated to be in use on approximately 45,000 websites, despite the plugin having over 5,000,000 total active installations. Successful exploitation of this vulnerability enables attackers to achieve remote code execution (RCE) on the affected WordPress environment.
The developers of Slider Revolution have released a patch to address this security gap. Site administrators using version 7.0 are urged to update their installations immediately to the latest version to prevent potential exploitation. Further details regarding the vulnerability can be found in the official Wordfence advisory.