A security vulnerability affecting millions of WordPress websites has been uncovered in the widely used Slider Revolution plugin.
The flaw, tracked as CVE-2025-9217, could allow users with contributor-level permissions or higher to read sensitive files stored on a site’s server.
The Arbitrary File Read issue impacts all versions of Slider Revolution up to 6.7.36. It stems from insufficient validation in two plugin parameters, “used_svg” and “used_images,” which manage the export of image and video files.
Because these functions failed to restrict file types and paths, attackers could exploit them to access any file on the server, including wp-config.php, which holds database credentials and cryptographic keys.
Security analysts rated the flaw 6.5 under the Common Vulnerability Scoring System (CVSS), classifying it as medium severity.
Discovery and Disclosure Timeline
The vulnerability was discovered by an independent researcher, “stealthcopter,” who reported it on August 11 2025 through the Wordfence Bug Bounty Program.
Wordfence verified the report and relayed details to the plugin’s developer, ThemePunch, on August 19. The developer acknowledged the issue within two days and began working on a fix.
A patched version, 6.7.37, was released on August 28. The researcher received a $656 bounty for responsibly disclosing the flaw.
Read more on WordPress plugin security vulnerabilities: Critical Flaws in WordPress Plugin Leave 10,000 Sites Vulnerable
Impact and Recommendations
Slider Revolution remains one of the most widely used slider plugins for WordPress with over 4 million active installations.
While exploiting the flaw requires authenticated access, such as a contributor account, a successful attack could expose confidential server data.
ThemePunch issued the patch nine days after disclosure, addressing the underlying file-handling weaknesses that enabled unauthorized access.
The update introduced stricter validation checks on file paths and types within the export functions, ensuring that only permitted media files can be included in zip exports. This change prevents attackers from manipulating parameters to access files outside approved directories, closing the loophole that made arbitrary file reads possible.
Security experts at Wordfence have recommended the prompt installation of the latest update to ensure website integrity and data protection.
