What the vulnerability does
01Description
The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files that may be executable, which makes remote code execution possible. The vulnerability was partially patched in version 7.0.10 and fully patched in version 7.0.11.
Explanation of Vulnerability in Simple Terms
02Summary
Slider Revolution versions 7.0.0 through 7.0.10 do not properly validate file uploads, allowing authenticated users to upload arbitrary files to the server. An attacker with low-level access can upload malicious files, potentially including executable code, to compromise the site. Update to a version newer than 7.0.10 immediately.
What an attacker can do
03Attacker Capabilities
Upload arbitrary files, including executable code, to the server.
Potential impact on your site
04Site Impact
Attackers with basic user accounts can upload malicious files and run code on your site, leading to full compromise.
Conditions required to exploit
05Prerequisites
Attacker must have a low-level user account on the site (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
May 7, 2026
CVE published
May 7, 2026
Record updated