Critical File Upload Vulnerability Patched in Slider Revolution Plugin
A critical vulnerability in the Slider Revolution WordPress plugin allows authenticated users to upload arbitrary files, potentially leading to remote code execution.

A critical security vulnerability in the Slider Revolution WordPress plugin has been addressed, following the discovery of an authenticated arbitrary file upload flaw that could lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-6692, carries a CVSS score of 8.8, indicating a high level of severity Wordfence.
The flaw resides within the plugin's _get_media_url and _check_file_path functions. Technical analysis reveals that the library.load.image AJAX action is incorrectly whitelisted in the RevSliderAPI class, making it accessible to any authenticated user, including those with subscriber-level permissions Wordfence. Because the plugin fails to perform sufficient file type validation, an attacker can exploit this access to upload arbitrary files to the server. If these files are executable, an attacker can achieve full remote code execution on the affected WordPress site Wordfence.
While Slider Revolution is installed on over 5,000,000 websites, the vulnerability is limited to the 7.0 major release branch. Consequently, it is estimated that approximately 45,000 sites are currently exposed to the risk Wordfence. The vulnerability was discovered and reported by researcher h0xilo through the Wordfence Bug Bounty Program, for which they received a $4,914.00 bounty Wordfence.
The developer, ThemePunch, was notified of the issue on April 20, 2026, and released an initial patch on April 22, 2026, followed by a final, comprehensive patch on May 4, 2026 Wordfence. Users are strongly advised to update their installations to version 7.0.11 immediately to mitigate the risk of exploitation Wordfence.
To provide immediate protection, Wordfence deployed a firewall rule to its Premium, Care, and Response customers on April 20, 2026. Users of the free version of the Wordfence plugin are scheduled to receive the same protective firewall update on May 20, 2026 Wordfence.
This incident highlights the ongoing security challenges associated with complex, feature-rich plugins in the WordPress ecosystem. The reliance on AJAX actions that are improperly exposed to low-privileged users remains a common vector for RCE vulnerabilities. As plugin developers continue to expand functionality, rigorous input validation and strict access control remain essential defenses against unauthorized code execution. Monitoring for similar vulnerabilities in major plugin releases is recommended for site administrators.