Security

Authenticated Arbitrary File Upload Vulnerability Patched in Slider Revolution 7 WordPress Plugin

An authenticated arbitrary file upload vulnerability affecting Slider Revolution 7.0.0 to 7.0.10 has been patched in version 7.0.11. This flaw allowed subscriber-level users to achieve remote code execution.

Editor · · 5 min read
Authenticated Arbitrary File Upload Vulnerability Patched in Slider Revolution 7 WordPress Plugin
Photo: Miguel Á. Padriñán on Pexels

Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.

The popular WordPress plugin Slider Revolution recently addressed a high-severity security flaw that allowed authenticated users with subscriber-level access or higher to upload arbitrary files, potentially enabling remote code execution. This vulnerability, tracked as CVE-2026-6692, affected versions 7.0.0 through 7.0.10 of the plugin. With over 5 million active installations, this patch is critical for site security.

Key Takeaways

  • Slider Revolution versions 7.0.0 to 7.0.10 had an authenticated arbitrary file upload vulnerability.
  • The exploit could be triggered by any logged-in user from subscriber role and above, risking remote code execution.
  • The vulnerability was responsibly disclosed by security researcher h0xilo through the Wordfence Bug Bounty Program, earning a $4,914 bounty.
  • ThemePunch released patches quickly, with full remediation in version 7.0.11; users must update immediately.
  • Wordfence deployed firewall rules protecting premium customers from April 20 and free users from May 20, 2026.

Understanding the Vulnerability in Slider Revolution 7

Slider Revolution is a widely used premium WordPress plugin for building sliders and other visual content with a drag-and-drop interface. The vulnerability discovered lies in how the plugin handled file uploads via AJAX actions accessible to authenticated users. Specifically, the plugin’s library.load.image AJAX action was exposed to all logged-in users, including those with subscriber-level permissions, a role often assigned to basic users on WordPress sites.

The core issue was insufficient validation of file types in the _get_media_url and _check_file_path functions. Attackers could exploit this by uploading arbitrary files, including potentially malicious PHP scripts, that could be executed on the server, leading to remote code execution (RCE). This vulnerability carries a high CVSS score of 8.8, reflecting its critical nature.

Technical Breakdown of the Exploit

In practice, the vulnerability stems from the plugin’s logic that accepts user input to determine file paths and downloads files without properly validating the file extensions or restricting executable file types. The AJAX endpoint library.load.image is whitelisted for authenticated users, meaning any logged-in user could invoke it. The _check_file_path() function constructs a destination path for the file based on attacker-controlled input and calls the download_url() method, which downloads and saves the file on the server.

The lack of strict validation and sanitization allows an attacker to upload executable files disguised as images or other media. Once uploaded, these files can be accessed to execute arbitrary code, compromising the entire WordPress site and potentially the hosting environment.

Response and Patching Timeline

Wordfence received the initial vulnerability report on April 18, 2026, submitted by researcher h0xilo through their Bug Bounty Program. Wordfence promptly shared full technical details with ThemePunch, the developers of Slider Revolution, on April 20. ThemePunch reacted swiftly, releasing a partial fix in version 7.0.10 within two days on April 22 and fully remediating the issue in version 7.0.11 on May 4.

The security community widely recognizes this as a strong example of responsible disclosure and coordinated vulnerability management. Wordfence also deployed firewall rules to protect their premium users from attacks exploiting this vulnerability starting April 20, with plans to extend protection to free users 30 days later on May 20. This staged deployment is common to ensure wide protection while allowing time for users to upgrade their plugins.

Scope and Impact Assessment

Although Slider Revolution has more than 5 million active installs, the vulnerability was introduced only in the major 7.0 release. Wordfence estimates approximately 45,000 sites still run vulnerable versions between 7.0.0 and 7.0.10. For most WordPress sites using this plugin, this means a critical update is urgently needed to close the window of exploitation risk.

In real-world deployments, arbitrary file upload vulnerabilities are among the most dangerous classes of WordPress flaws. They allow attackers to bypass authentication barriers and plant backdoors that can persist long-term. Given that subscriber-level accounts are often easy to create or obtained via credential stuffing, the risk is amplified on sites with open registration or compromised low-level accounts.

What This Means for WordPress Users

We strongly recommend that all users of Slider Revolution update immediately to version 7.0.11 or later. This patch fully addresses the arbitrary file upload vulnerability and closes the attack vector for remote code execution. Sites that delay updating remain exposed to attackers who could leverage subscriber or similar accounts to compromise site integrity.

For developers and agencies managing multiple client sites, integrating automated update tools or managed security services that monitor and enforce plugin updates is essential. The rapid patching timeline in this case shows ThemePunch’s commitment, but the responsibility to deploy updates lies with site operators.

This incident also highlights the importance of layered WordPress security. Employing web application firewalls like Wordfence, enforcing least privilege on user roles, and monitoring for suspicious file uploads can mitigate the risk from similar vulnerabilities in future.

Finally, this case underscores the value of professional vulnerability research and bug bounty programs. The $4,914 bounty awarded to h0xilo incentivizes continued security scrutiny, which benefits the entire WordPress ecosystem.

Frequently Asked Questions

What versions of Slider Revolution are affected by this vulnerability?

Versions 7.0.0 through 7.0.10 of Slider Revolution are affected. The vulnerability was introduced in the major 7.0 release and fully patched in version 7.0.11.

Who can exploit this vulnerability on a WordPress site?

Any authenticated user with subscriber-level access or higher can exploit this vulnerability to upload arbitrary files. This means even low-privilege accounts can be weaponized if the plugin is not updated.

How can site owners protect their sites immediately?

Site owners should update Slider Revolution to version 7.0.11 immediately. Additionally, using a security firewall like Wordfence provides temporary protection against exploit attempts until updates are applied.

What does remote code execution mean for my WordPress site?

Remote code execution (RCE) allows attackers to run malicious code on your server, potentially taking full control of your site, stealing data, or spreading malware. It is one of the gravest security risks.

Related News

Related News
wordpress digital nomad
Community
#202 – Charly Leetham on Using WordPress to Enable a Digital Nomad Life
EmpowerWP Bhopal 2025
Community
EmpowerWP Bhopal 2025: A Journey of Inclusion and Impact!
wordpress campus connect
Community
WordPress Campus Connect Jinja 2025: Piloting Africa’s Largest School Outreach