WordPress Plugin Vulnerabilities

Slider Revolution < 6.6.19 - Author+ Insecure Deserialization leading to RCE

Description

The plugin does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution.

Proof of Concept

Affects Plugins

Plugin icon
revslider
Fixed in 6.6.19

References

CVE
CVE-2023-6528

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
8.0 (high)

Miscellaneous

Original Researcher
Vaibhav Rajput, Prajyot Chemburkar
Submitter
Vaibhav Rajput, Prajyot Chemburkar
Verified
Yes
WPVDB ID
36ced447-84ea-4162-80d2-6df226cb53cb

Timeline

Publicly Published
2023-11-30 (about 2 years ago)
Added
2023-12-14 (about 2 years ago)
Last Updated
2023-12-14 (about 2 years ago)

Other

Published
Title
Published
2025-03-21
Title
Block Logic <= 1.0.8 - Authenticated (Contributor+) Remote Code Execution
Published
2021-06-07
Title
WordPress Popular Posts < 5.3.3 - Authenticated Code Injection
Published
2024-01-03
Title
LearnPress < 4.2.5.8 - Unauthenticated Command Injection
Published
2024-09-30
Title
Iconize <= 1.2.4 - Authenticated (Admin+) Remote Code Execution
Published
2024-05-15
Title
Advanced Custom Fields Pro < 6.2.10 - Authenticated (Contributor+) Code Injection