Skip to content
Threat Feed
critical advisory

WordPress Slider Revolution Plugin Arbitrary File Upload Vulnerability

The Slider Revolution plugin for WordPress is vulnerable to arbitrary file upload due to insufficient file type validation, allowing authenticated attackers with subscriber-level access or higher to upload executable files, potentially leading to remote code execution.

The Slider Revolution plugin for WordPress versions 7.0.0 through 7.0.10 is vulnerable to an arbitrary file upload vulnerability. This vulnerability resides in the ‘_get_media_url’ and ‘_check_file_path’ functions and stems from a lack of proper file type validation. An authenticated attacker, with subscriber-level privileges or higher, can exploit this flaw to upload malicious files, including those that are executable. Successful exploitation can lead to remote code execution on the affected WordPress server. A partial patch was implemented in version 7.0.10, and a complete fix is available in version 7.0.11. This vulnerability poses a significant risk to websites using the affected plugin versions.

Attack Chain

  1. An attacker gains subscriber-level access (or higher) to a WordPress site running a vulnerable Slider Revolution plugin version (7.0.0 to 7.0.10).
  2. The attacker crafts a malicious HTTP request targeting the ‘_get_media_url’ function.
  3. The request includes a payload designed to upload an arbitrary file, such as a PHP script.
  4. Due to insufficient file type validation in ‘_check_file_path’, the malicious file bypasses security checks.
  5. The plugin stores the uploaded file in a publicly accessible directory.
  6. The attacker accesses the uploaded file via its URL, triggering the execution of the malicious script.
  7. The attacker achieves remote code execution on the web server.
  8. The attacker leverages the compromised server for further malicious activities, such as data theft or lateral movement.

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary code on the WordPress server. This can lead to complete compromise of the website, including defacement, data theft, and the installation of backdoors. Given the widespread use of WordPress and the Slider Revolution plugin, a large number of websites are potentially at risk. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity.

Recommendation

  • Upgrade the Slider Revolution plugin to version 7.0.11 or later to fully patch CVE-2026-6692.
  • Implement the Sigma rule “Detect Suspicious File Uploads to WordPress Media Directory” to detect potential exploitation attempts.
  • Review WordPress user roles and permissions, ensuring that subscriber-level users have minimal privileges.
  • Monitor web server logs for suspicious HTTP requests targeting the ‘_get_media_url’ function.

Detection coverage 2

Detect Suspicious File Uploads to WordPress Media Directory

critical

Detects potential exploitation attempts of file upload vulnerabilities in WordPress by monitoring for suspicious file extensions being uploaded to the media directory.

sigma tactics: execution techniques: T1189 sources: webserver, linux

Detect WordPress Plugin Arbitrary File Upload via POST Request

high

Detects potential arbitrary file uploads to a WordPress plugin by monitoring POST requests with suspicious file extensions.

sigma tactics: initial_access techniques: T1189 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →