WordPress Plugin Vulnerabilities

WordPress Slider Revolution - Local File Disclosure

Description

Note: The Construct, Echelon, Fusion, Method, Modular and Myriad affected themes are from the Mysitemyway, who went out of business, and the themes have been forked by BackStop Themes who does not use Revslider.

Affects Plugins

Plugin icon
revslider
Fixed in 4.1.5

Affects Themes

IncredibleWP
No known fix
ultimatum
Fixed in 2.9.1.5
medicate
No known fix
Centum
No known fix
Avada
Fixed in 3.4
striking_r
Fixed in 1.2.3
beach_apollo
No known fix
aries
No known fix
showbiz
Fixed in 1.7.1
construct
Fixed in 2.8.3
manbiz2
No known fix
method
Fixed in 2.8.3
modular
Fixed in 2.8.3
myriad
Fixed in 2.8.3
echelon
Fixed in 2.8.3
fusion
Fixed in 2.8.3
awake
No known fix
seabird
No known fix
soulmedic
No known fix
bretheon
No known fix

References

CVE
CVE-2015-1579
Exploitdb
34511
URL
https://packetstormsecurity.com/files/#129761/
URL
https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Verified
Yes
WPVDB ID
4b077805-5dc0-4172-970e-cc3d67964f80

Timeline

Publicly Published
2015-02-11 (about 11 years ago)
Added
2014-09-17 (about 11 years ago)
Last Updated
2020-12-11 (about 5 years ago)

Other

Published
Title
Published
2015-07-10
Title
IBS Mappro < 1.0 - Directory Traversal
Published
2015-06-10
Title
History Collection <= 1.1.1 - Arbitraty File Download
Published
2021-08-24
Title
Live Scores for SportsPress < 1.9.1 - Authenticated Local File Inclusion
Published
2025-02-14
Title
Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP < 6.2.1 - Unauthenticated Arbitrary File Read
Published
2026-04-13
Title
BackWPup < 5.6.7 - Admin+ Local File Inclusion via 'block_name' Parameter