📄 Description (English)
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.
🤖 AI Executive Summary
Slider Revolution WordPress plugin versions up to 7.0.10 contain a critical information disclosure vulnerability allowing authenticated Subscriber-level users to read arbitrary server files. The vulnerability chains three design flaws: leaked AJAX nonces, bypassed access controls, and unrestricted file copying to public directories. Attackers can exfiltrate sensitive files including database backups, configuration files, and private keys by exploiting the create_wordpress_image_from_url action.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 9, 2026 14:02
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses severe risk to Saudi organizations using WordPress with Slider Revolution plugin, particularly: (1) Banking sector (SAMA-regulated institutions) — exposure of database backups, API keys, and financial transaction logs; (2) Government agencies (NCA oversight) — disclosure of configuration files, internal documentation, and system credentials; (3) Healthcare providers — HIPAA-equivalent data exposure of patient records stored in database backups; (4) Energy sector (ARAMCO, utilities) — exposure of operational technology credentials and configuration files; (5) Telecommunications (STC, Mobily) — customer data and infrastructure configuration leakage; (6) E-commerce platforms — payment gateway credentials and customer databases. The Subscriber-level access requirement means any WordPress user account (including compromised or insider accounts) can trigger the attack.
🏢 Affected Saudi Sectors
Banking and Financial Services (SAMA-regulated)
Government and Public Administration (NCA oversight)
Healthcare and Medical Services
Energy and Utilities (ARAMCO, regional operators)
Telecommunications (STC, Mobily, Zain)
E-commerce and Retail
Insurance and Investment Services
Education and Universities
Real Estate and Construction
Media and Publishing
🎯 MITRE ATT&CK Techniques
T1087 — Account Discovery (identifying WordPress user accounts)
T1110 — Brute Force (testing Subscriber account access)
T1526 — Exposure of Sensitive Information (AJAX nonce leakage)
T1552 — Unsecured Credentials (API keys, database credentials in backups)
T1567 — Exfiltration Over Web Service (file copying to public /uploads/)
T1190 — Exploit Public-Facing Application (WordPress plugin vulnerability)
T1548 — Abuse Elevation Control Mechanism (privilege escalation via access control bypass)
T1083 — File and Directory Discovery (filesystem path enumeration)
T1005 — Data from Local System (reading local files via copy function)
T1040 — Network Sniffing (AJAX nonce interception)
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable Slider Revolution plugin immediately: wp-cli plugin deactivate slider-revolution or via WordPress admin dashboard
2. Audit WordPress user accounts — identify all Subscriber and above accounts created in past 90 days; review access logs for suspicious activity
3. Check /wp-content/uploads/revslider/ai/ directory for unauthorized files; preserve for forensic analysis before deletion
4. Review web server access logs for requests to /wp-content/uploads/revslider/ai/ with non-image file extensions (.sql, .log, .json, .bak, .conf, .pem, .key, .crt, .txt, .db, .yml, .yaml, .xml, .csv)
5. Rotate all database credentials, API keys, and SSH keys that may have been exposed
6. Scan database backups for unauthorized access timestamps
PATCHING GUIDANCE:
- No official patch available as of CVE publication; monitor Slider Revolution GitHub/website for security updates
- When patch releases, test in staging environment before production deployment
- Consider alternative slider plugins (Elementor, Swiper, Splide) as interim solution
COMPENSATING CONTROLS (until patch available):
1. Restrict WordPress user roles: remove Subscriber accounts not actively needed; audit Contributor/Author accounts
2. Implement Web Application Firewall (WAF) rules to block requests to /wp-content/uploads/revslider/ai/ containing file extensions: .sql, .log, .json, .bak, .conf, .pem, .key, .crt, .txt, .db, .yml, .yaml, .xml, .csv
3. Disable AJAX action 'wordpress.create.image_from_url' via custom code: add_filter('wp_ajax_wordpress.create.image_from_url', '__return_false')
4. Implement file integrity monitoring on /wp-content/uploads/revslider/ directory
5. Restrict file upload permissions: chmod 750 /wp-content/uploads/revslider/
6. Monitor for suspicious admin_footer hook execution via security plugin (Wordfence, Sucuri)
DETECTION RULES:
- Alert on POST requests to /wp-admin/admin-ajax.php?action=wordpress.create.image_from_url
- Monitor for file access to /wp-content/uploads/revslider/ai/ with non-image MIME types
- Log all Subscriber-level user logins and AJAX requests
- Alert on @copy() function calls in WordPress error logs
- Detect requests with 'revslider_actions' nonce parameter in query strings
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تعطيل مكون Slider Revolution فوراً: wp-cli plugin deactivate slider-revolution أو عبر لوحة تحكم WordPress
2. تدقيق حسابات مستخدمي WordPress — تحديد جميع حسابات المشترك وما فوقها المنشأة في آخر 90 يوماً؛ مراجعة سجلات الوصول للنشاط المريب
3. التحقق من دليل /wp-content/uploads/revslider/ai/ للملفات غير المصرح بها؛ الحفاظ عليها للتحليل الجنائي قبل الحذف
4. مراجعة سجلات وصول خادم الويب للطلبات إلى /wp-content/uploads/revslider/ai/ بامتدادات ملفات غير صورية (.sql, .log, .json, .bak, .conf, .pem, .key, .crt, .txt, .db, .yml, .yaml, .xml, .csv)
5. تدوير جميع بيانات اعتماد قاعدة البيانات ومفاتيح API ومفاتيح SSH التي قد تكون قد تعرضت
6. مسح النسخ الاحتياطية من قاعدة البيانات للوصول غير المصرح به
إرشادات التصحيح:
- لا يوجد تصحيح رسمي متاح اعتباراً من نشر CVE؛ مراقبة موقع Slider Revolution/GitHub لتحديثات الأمان
- عند إصدار التصحيح، اختبر في بيئة التدريج قبل نشر الإنتاج
- فكر في مكونات منزلقة بديلة (Elementor, Swiper, Splide) كحل مؤقت
عناصر التحكم التعويضية (حتى توفر التصحيح):
1. تقييد أدوار مستخدمي WordPress: إزالة حسابات المشترك غير المطلوبة بنشاط؛ تدقيق حسابات المساهم/المؤلف
2. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات إلى /wp-content/uploads/revslider/ai/ التي تحتوي على امتدادات ملفات: .sql, .log, .json, .bak, .conf, .pem, .key, .crt, .txt, .db, .yml, .yaml, .xml, .csv
3. تعطيل إجراء AJAX 'wordpress.create.image_from_url' عبر الكود المخصص: add_filter('wp_ajax_wordpress.create.image_from_url', '__return_false')
4. تنفيذ مراقبة سلامة الملفات على دليل /wp-content/uploads/revslider/
5. تقييد أذونات تحميل الملفات: chmod 750 /wp-content/uploads/revslider/
6. مراقبة تنفيذ admin_footer hook المريب عبر مكون الأمان (Wordfence, Sucuri)
قواعد الكشف:
- تنبيه على طلبات POST إلى /wp-admin/admin-ajax.php?action=wordpress.create.image_from_url
- مراقبة الوصول إلى الملفات في /wp-content/uploads/revslider/ai/ بأنواع MIME غير صورية
- تسجيل جميع عمليات تسجيل دخول مستخدمي المشترك وطلبات AJAX
- تنبيه على استدعاءات دالة @copy() في سجلات أخطاء WordPress
- كشف الطلبات بمعامل 'revslider_actions' nonce في سلاسل الاستعلام
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 — Information security policies and procedures (access control policy violation)
A.6.1.2 — User access management (Subscriber-level privilege escalation)
A.8.1.1 — Asset management and inventory (unauthorized file access)
A.12.4.1 — Event logging and monitoring (insufficient AJAX action logging)
A.13.1.1 — Information transfer policies and procedures (sensitive data exposure in transit)
🔵 SAMA CSF
ID.AM-2 — Software inventory and versioning (vulnerable plugin tracking)
PR.AC-1 — Access control policy enforcement (role-based access bypass)
PR.AC-4 — Access rights and privileges (Subscriber privilege escalation)
DE.CM-1 — Detection and analysis (AJAX action monitoring)
DE.CM-7 — Monitoring and detection of unauthorized activities (file access patterns)
RS.MI-2 — Incident response and mitigation (file exposure containment)
🟡 ISO 27001:2022
A.5.1.1 — Information security policies (access control framework)
A.6.1.2 — User access management (role-based access control)
A.8.1.1 — Asset management (software asset inventory)
A.8.3.1 — Media handling (file access and exposure)
A.12.4.1 — Event logging (AJAX and file operation logging)
A.13.1.1 — Information transfer (data exposure prevention)
🟣 PCI DSS v4.0.1
Requirement 1.1 — Firewall configuration standards (WAF rules for malicious AJAX)
Requirement 2.1 — Default security parameters (plugin hardening)
Requirement 6.2 — Security patches and updates (vulnerable plugin management)
Requirement 7.1 — Access control (role-based privilege management)
Requirement 10.2 — User access logging (AJAX action audit trails)
Requirement 10.3 — Logging of access to cardholder data (file access monitoring)