Luc Huynh

**Name of the Vulnerable Software and Affected Versions** Slider Revolution versions prior to 7.0.11 **Description** The plugin is subject to sensitive information disclosure resulting from three design flaws. First, a valid backend AJAX nonce `revslider actions` is leaked to all authenticated users, including those with Subscriber roles, via the `admin footer` hook. Second, the `wordpress.create.image from url` action is included in the `$user allowed` array, which bypasses access controls intended for administrators. Third, the `create wordpress image from url()` function accepts a user-controlled `url` parameter passed to `import media()`. The `path or url exists()` function allows local filesystem paths, and the `@copy()` function moves these files into the publicly accessible `/wp-content/uploads/revslider/ai/` directory. Because the MIME type check relies on the attacker-supplied `content type` parameter and the source extension blacklist fails to block various sensitive formats such as `.sql`, `.log`, `.json`, `.bak`, `.xml`, `.csv`, `.conf`, `.yml`, `.yaml`, `.pem`, `.key`, `.crt`, `.txt`, and `.db`, authenticated attackers with Subscriber-level access can read server files by copying them to a public URL. **Recommendations** Update the plugin to a version later than 7.0.10.