Flaw in Slider Revolution Plugin Exposed 4m WordPress Sites
A security vulnerability affecting millions of WordPress websites has been uncovered in the widely used Slider Revolution plugin.
The flaw, tracked as CVE-2025-9217, could allow users with contributor-level permissions or higher to read sensitive files stored on a site’s server.
- The Arbitrary File Read issue impacts all versions of Slider Revolution up to 6.7.36.
- It stems from insufficient validation in two plugin parameters, “used_svg” and “used_images,” which manage the export of image and video files.
attackers could exploit them to access any file on the server, including wp-config.php, which holds database credentials and cryptographic keys.
Security analysts rated the flaw 6.5 under the Common Vulnerability Scoring System (CVSS), classifying it as medium severity.
Author summary: Vulnerability exposes WordPress sites to file access.