Home

Description

The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files that may be executable, which makes remote code execution possible. The vulnerability was partially patched in version 7.0.10 and fully patched in version 7.0.11.

PUBLISHED Reserved 2026-04-20 | Published 2026-05-07 | Updated 2026-05-07 | Assigner Wordfence




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Default status
unaffected

7.0.0 (semver)
affected

Timeline

2026-04-20:Vendor Notified
2026-05-06:Disclosed

Credits

Phú finder

References

www.wordfence.com/...-d2f1-47cc-883a-89110e569168?source=cve

www.sliderrevolution.com/

cve.org (CVE-2026-6692)

nvd.nist.gov (CVE-2026-6692)

Download JSON