Slider Revolution <= 6.7.10 - Authenticated (Author+) Stored Cross-Site Scripting

Wordfence Intelligence   >   Vulnerability Database   >   Slider Revolution <= 6.7.10 - Authenticated (Author+) Stored Cross-Site Scripting
6.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE CVE-2024-34443
CVSS 6.4 (Medium)
Publicly Published May 28, 2024
Last Updated June 5, 2024
Researcher Rafie Muhammad - Awesome Motive, Inc.

Description

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Learn more about Cross-Site Scripting vulnerabilities and how to prevent them.

References

Share

Vulnerability Details for Slider Revolution

Slider Revolution

Software Type Plugin
Software Slug revslider
Patched? Yes
Remediation Update to version 6.7.11, or a newer patched version
Affected Version
  • <= 6.7.10
Patched Version
  • 6.7.11

Recent vulnerabilities in Slider Revolution

Slider Revolution 7.0 - 7.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure
6.5
CVE-2026-7542
Jun 8, 2026
Researcher: Luc Huynh from Noventiq RedTeam
Slider Revolution 6.0.0-6.7.55 and 7.0.0-7.0.14 - Missing Authorization to Authenticated (Contributor+) Arbitrary Plugin Deactivation
4.3
CVE-2026-9050
Jun 1, 2026
Researcher: Nguyen Ngoc Duc (duc193)
Slider Revolution 7.0.0 - 7.0.14 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure
4.3
CVE-2026-9048
Jun 1, 2026
Researcher: Prickly Cactus
Slider Revolution <= 7.0.9 - Unauthenticated Sensitive Information Exposure via 'sliders/stream'
5.3
CVE-2026-6728
May 19, 2026
Researcher: Nos1x0
Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber+) Arbitrary File Upload via _get_media_url
8.8
CVE-2026-6692
May 6, 2026
Researcher: h0xilo
Slider Revolution <= 6.7.37 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Read
6.5
CVE-2025-10249
Oct 8, 2025
Researcher: stealthcopter
Slider Revolution <= 6.7.36 - Authenticated (Contributor+) Arbitrary File Read via 'used_svg' and 'used_images'
6.5
CVE-2025-9217
Aug 28, 2025
Researcher: stealthcopter
Slider Revolution <= 6.7.18 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
6.4
CVE-2024-8107
Sep 30, 2024
Researcher: wesley (wcraft)
Slider Revolution <= 6.7.13 - Authenticated (Administrator+) Stored Cross-Site Scripting
4.4
CVE-2024-37449
Jun 28, 2024
Researcher: wesley (wcraft)
Slider Revolution <= 6.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Elementor wrapperid and zindex
6.4
CVE-2024-4637
Jun 3, 2024
Researcher: stealthcopter
# Title CVE ID CVSS Researchers Date
1 Slider Revolution 7.0 - 7.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure CVE-2026-7542 6.5 Luc Huynh from Noventiq RedTeam June 8, 2026
2 Slider Revolution 6.0.0-6.7.55 and 7.0.0-7.0.14 - Missing Authorization to Authenticated (Contributor+) Arbitrary Plugin Deactivation CVE-2026-9050 4.3 Nguyen Ngoc Duc (duc193) June 1, 2026
3 Slider Revolution 7.0.0 - 7.0.14 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure CVE-2026-9048 4.3 Prickly Cactus June 1, 2026
4 Slider Revolution <= 7.0.9 - Unauthenticated Sensitive Information Exposure via 'sliders/stream' CVE-2026-6728 5.3 Nos1x0 May 19, 2026
5 Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber+) Arbitrary File Upload via _get_media_url CVE-2026-6692 8.8 h0xilo May 6, 2026
6 Slider Revolution <= 6.7.37 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Read CVE-2025-10249 6.5 stealthcopter October 8, 2025
7 Slider Revolution <= 6.7.36 - Authenticated (Contributor+) Arbitrary File Read via 'used_svg' and 'used_images' CVE-2025-9217 6.5 stealthcopter August 28, 2025
8 Slider Revolution <= 6.7.18 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload CVE-2024-8107 6.4 wesley (wcraft) September 30, 2024
9 Slider Revolution <= 6.7.13 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2024-37449 4.4 wesley (wcraft) June 28, 2024
10 Slider Revolution <= 6.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Elementor wrapperid and zindex CVE-2024-4637 6.4 stealthcopter June 3, 2024
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation