Arbitrary File Read Vulnerability in Slider Revolution Plugin

First reported

15.10.2025 18:45

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A vulnerability in the Slider Revolution plugin for WordPress, tracked as CVE-2025-9217, allows authenticated users with contributor-level permissions or higher to read sensitive files on the server. The flaw affects all versions up to 6.7.36 and stems from insufficient validation in the 'used_svg' and 'used_images' parameters. The issue was discovered by an independent researcher and disclosed through the Wordfence Bug Bounty Program. The developer, ThemePunch, released a patch on August 28, 2025. The vulnerability could expose confidential server data, including database credentials and cryptographic keys. Slider Revolution is widely used, with over 4 million active installations. Security experts recommend updating to the latest version to mitigate the risk.

Timeline

15.10.2025 18:45 1 articles · 23h ago

Arbitrary File Read Vulnerability in Slider Revolution Plugin Discovered and Patched
On August 11, 2025, an independent researcher discovered a vulnerability in the Slider Revolution plugin for WordPress. The flaw, CVE-2025-9217, allows authenticated users with contributor-level permissions or higher to read sensitive files on the server. The developer, ThemePunch, released a patch (version 6.7.37) on August 28, 2025, addressing the underlying file-handling weaknesses. The vulnerability was disclosed through the Wordfence Bug Bounty Program, and the researcher received a $656 bounty.
Show sources

Flaw in Slider Revolution Plugin Exposed 4m WordPress Sites — www.infosecurity-magazine.com — 15.10.2025 18:45
Open in new tab

Information Snippets

The vulnerability, CVE-2025-9217, affects all versions of Slider Revolution up to 6.7.36.
First reported: 15.10.2025 18:45

1 source, 1 article
Show sources
- Flaw in Slider Revolution Plugin Exposed 4m WordPress Sites — www.infosecurity-magazine.com — 15.10.2025 18:45
The flaw allows authenticated users with contributor-level permissions or higher to read sensitive files.
First reported: 15.10.2025 18:45

1 source, 1 article
Show sources
- Flaw in Slider Revolution Plugin Exposed 4m WordPress Sites — www.infosecurity-magazine.com — 15.10.2025 18:45
The issue arises from insufficient validation in the 'used_svg' and 'used_images' parameters.
First reported: 15.10.2025 18:45

1 source, 1 article
Show sources
- Flaw in Slider Revolution Plugin Exposed 4m WordPress Sites — www.infosecurity-magazine.com — 15.10.2025 18:45
The vulnerability was discovered by an independent researcher on August 11, 2025.
First reported: 15.10.2025 18:45

1 source, 1 article
Show sources
- Flaw in Slider Revolution Plugin Exposed 4m WordPress Sites — www.infosecurity-magazine.com — 15.10.2025 18:45
The developer, ThemePunch, released a patch (version 6.7.37) on August 28, 2025.
First reported: 15.10.2025 18:45

1 source, 1 article
Show sources
- Flaw in Slider Revolution Plugin Exposed 4m WordPress Sites — www.infosecurity-magazine.com — 15.10.2025 18:45
The flaw has a CVSS score of 6.5, classified as medium severity.
First reported: 15.10.2025 18:45

1 source, 1 article
Show sources
- Flaw in Slider Revolution Plugin Exposed 4m WordPress Sites — www.infosecurity-magazine.com — 15.10.2025 18:45
Slider Revolution has over 4 million active installations.
First reported: 15.10.2025 18:45

1 source, 1 article
Show sources
- Flaw in Slider Revolution Plugin Exposed 4m WordPress Sites — www.infosecurity-magazine.com — 15.10.2025 18:45
The patch introduces stricter validation checks on file paths and types.
First reported: 15.10.2025 18:45

1 source, 1 article
Show sources
- Flaw in Slider Revolution Plugin Exposed 4m WordPress Sites — www.infosecurity-magazine.com — 15.10.2025 18:45

Summary

Timeline

Arbitrary File Read Vulnerability in Slider Revolution Plugin Discovered and Patched

Information Snippets