CVE-2026-7542

Name of the Vulnerable Software and Affected Versions Slider Revolution versions prior to 7.0.11

Description The plugin is subject to sensitive information disclosure resulting from three design flaws. First, a valid backend AJAX nonce revslider actions is leaked to all authenticated users, including those with Subscriber roles, via the admin footer hook. Second, the wordpress.create.image from url action is included in the $user allowed array, which bypasses access controls intended for administrators. Third, the create wordpress image from url() function accepts a user-controlled url parameter passed to import media(). The path or url exists() function allows local filesystem paths, and the @copy() function moves these files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. Because the MIME type check relies on the attacker-supplied content type parameter and the source extension blacklist fails to block various sensitive formats such as .sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, and .db, authenticated attackers with Subscriber-level access can read server files by copying them to a public URL.

Recommendations Update the plugin to a version later than 7.0.10.