Calling all Vulnerability Researchers and Bug Bounty Hunters!
Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!
The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion.
On August 11th, 2025, we received a submission for an Arbitrary File Read vulnerability in Slider Revolution, a WordPress plugin that’s estimated to have more than 4,000,000 active installations. This vulnerability makes it possible for an authenticated attacker, with contributor-level permissions or higher, to read arbitrary files on the server, which may contain sensitive information.
Props to stealthcopter who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $656.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Directory Traversal protection.
We provided full disclosure details to the ThemePunch team instantly through our Wordfence Vulnerability Management Portal on August 19, 2025. The developer released the patch on August 28, 2025. We would like to commend the ThemePunch team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Slider Revolution, version 6.7.37 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
The Slider Revolution plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.7.36 via the ‘used_svg’ and ‘used_images’ parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Technical Analysis
Slider Revolution is one of the most popular slider builder WordPress plugins.
Examining the code reveals that the theme uses the add_svg_to_zip() function and the add_images_videos_to_zip() function in the RevSliderSliderExport class to add image and video files to the export zip.
public function add_svg_to_zip(){
if(empty($this->used_svg)) return;
$c_url = $this->remove_http(content_url());
$c_path = ABSPATH . 'wp-content';
$ud = wp_upload_dir();
$up_dir = $this->get_val($ud, 'baseurl');
$up_dir = $this->remove_http($up_dir);
$cont_url = $this->remove_http($this->get_val($ud, 'baseurl'));
$cont_url_no_www = str_replace('www.', '', $cont_url);
foreach($this->used_svg as $file => $val){
if(strpos($file, 'http') !== false || substr($file, 0, 2) === '//' || substr($file, 0, 4) === '//'){ //remove all up to wp-content folder
$file = $this->remove_http($file);
$_checkpath = str_replace(array($cont_url.'/', $cont_url_no_www.'/'), '', $file);
$checkpath = str_replace($c_url, '', $file);
$checkpath2 = str_replace($up_dir, '', $file);
if($checkpath2 === $file){ //we have an SVG like whiteboard, fallback to older export
$checkpath2 = $checkpath;
}
//check if file is in the upload folder, if yes, add it to the zip file
if(strpos($file, $up_dir) !== false){
if(!$this->usepcl){
$this->zip->addFile($c_path.$checkpath, 'images/'.$_checkpath);
}else{
$this->pclzip->add($c_path.$checkpath, PCLZIP_OPT_REMOVE_PATH, $c_path, PCLZIP_OPT_ADD_PATH, $_checkpath);
}
}
$_file = str_replace('/', '/', $file);
$checkpath2 = str_replace('/', '/', str_replace('/revslider/assets/svg', '', $checkpath2));
$replace = (is_file($c_path.$checkpath)) ? $checkpath2 : '';
$this->export_data = str_replace(array('http:'.$_file, 'https:'.$_file, $_file, 'http:'.$file, 'https:'.$file, $file), $replace, $this->export_data);
}
}
}
Unfortunately, this function does not include any file type or file source checks in the vulnerable version. This means that not only image or video files can be exported, but .php files can as well.
This ultimately makes it possible for authenticated attackers with slider editor access, like contributors, to read any arbitrary file on the server, including the site’s wp-config.php file, which contains the database credentials as well as keys and salts for cryptographic security.
Disclosure Timeline
August 11, 2025 – We received the submission for the Arbitrary File Read vulnerability in Slider Revolution via the Wordfence Bug Bounty Program.
August 19, 2025 – We validated the report and confirmed the proof-of-concept exploit.
August 19, 2025 – Full disclosure details were sent instantly to the vendor through our Wordfence Vulnerability Management Portal.
August 21, 2025 – The vendor acknowledged the report and began working on a fix.
August 28, 2025 – The fully patched version of the plugin, 6.7.37, was released.
Conclusion
In this blog post, we detailed an Arbitrary File Read vulnerability within the Slider Revolution plugin affecting versions 6.7.36 and earlier. This vulnerability allows threat actors with contributor access to read arbitrary files, which can contain sensitive information. The vulnerability has been addressed in version 6.7.37 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Slider Revolution as soon as possible.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure.
The post 4,000,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in Slider Revolution WordPress Plugin appeared first on Wordfence.
