Any logged-in subscriber on a vulnerable WordPress site could have taken it over completely until last week. Slider Revolution, the popular premium slider plugin developed by ThemePunch, has patched an arbitrary file upload vulnerability affecting an estimated 45,000 of its 5 million-plus active installations — introduced when the flaw shipped in the 7.0 major release and present through version 7.0.10.

The vulnerability, tracked as CVE-2026-6692 with a CVSS score of 8.8 (High on the 1–10 scale used to rate vulnerability severity), allows any authenticated user with subscriber-level access or above to upload arbitrary files — including PHP webshells — to a vulnerable site and achieve remote code execution. Successful exploitation gives an attacker full control of the site.

A gloved hand plugs a USB drive into a server rack port inside a brightly lit data center.

Slider Revolution Patches High Severity File Upload Flaw

The flaw exists in the _get_media_url and _check_file_path functions within the RevSliderAddons class. The library.load.image AJAX action is whitelisted for all authenticated users in the RevSliderAPI class. An attacker can extract a valid nonce, then call that action with a data[0][id] parameter pointing to an attacker-controlled URL hosting a malicious PHP file. The plugin’s download_url() function fetches and writes the file directly into the publicly accessible WordPress uploads directory, where it can be executed via the web server. The root cause is insufficient file extension validation in _check_file_path().

CVE
A Common Vulnerabilities and Exposures identifier — a unique ID assigned to a publicly disclosed security flaw so it can be tracked across tools and reports.
CVSS
The Common Vulnerability Scoring System, a standardised 1–10 scale used to rate how severe a vulnerability is. Scores of 9.0 and above are rated Critical; 7.0–8.9 is High.
Arbitrary file upload
A vulnerability class where an attacker can upload a file of their choosing to a server, rather than being restricted to expected file types like images.
Remote code execution
The ability for an attacker to run their own code on a target server — the most severe outcome of an arbitrary file upload flaw, since an uploaded PHP file can be executed directly.

Security researcher h0xilo discovered and responsibly reported the issue through the Wordfence Bug Bounty Program, earning a $4,914.00 bounty. Wordfence disclosed details to ThemePunch on April 20, 2026. A partial patch was released in version 7.0.10 on April 22, and the full fix landed in version 7.0.11 on May 4, 2026.

Wordfence Premium, Care, and Response users received a firewall rule on April 20, 2026. Sites using the free version of Wordfence will receive the same protection on May 20, 2026.

All Slider Revolution users should update to version 7.0.11 immediately. Because Slider Revolution is a premium plugin distributed outside the WordPress.org repository, automatic updates depend on an active license — agency owners managing client sites running the plugin should confirm licenses are current and treat this as a priority update given the low access requirement and potential for complete site takeover.