Slider Revolution Sensitive Information Disclosure Vulnerability

A vulnerability allowing sensitive information disclosure exists in the Slider Revolution plugin for WordPress, affecting versions through 7.0.10. This issue arises from three main design flaws: first, the plugin unintentionally exposes a valid backend AJAX nonce (revslider_actions) to all authenticated users, including Subscribers, through the admin_footer hook. Second, the wordpress.create.image_from_url action is improperly allowlisted for general use, bypassing necessary administrator-only restrictions. Third, the create_wordpress_image_from_url() function can be exploited by sending an attacker-controlled URL, which is then processed by import_media(). The vulnerability allows paths or URLs to be read from the local filesystem and copied into a publicly accessible directory, with the potential for reading sensitive file types. This exploitation enables authenticated users with Subscriber-level access and above to access and read server files with non-blacklisted extensions by having those files copied to a public URL.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information stored in server files, such as database backups or configuration files, by allowing authenticated users to read these files through the WordPress media handling functions.

Remediation

Users are advised to update the Slider Revolution plugin to version 7.0.11 or a newer patched version.