5 Slider Revolution Vulnerabilities
Hello,
For some time now, all versions of the Slider Revolution plugin up to and including version 7.0.14 have been affected by several security vulnerabilities.
The list of vulnerabilities is as follows:
Vulnerability found: Slider Revolution 7.0.0 - 7.0.10 - Subscriber+ Arbitrary File Upload via _get_media_url
Vulnerability found: Slider Revolution < 7.0.10 - Unauthenticated Sensitive Information Exposure via 'sliders/stream'
Vulnerability found: Slider Revolution 6.0.0-6.7.55 and 7.0.0-7.0.14 - Missing Authorization to Authenticated (Contributor+) Arbitrary Plugin Deactivation
Vulnerability found: Slider Revolution 7.0.0 - 7.0.14 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure
Vulnerability found: Slider Revolution 7.0 - 7.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure
Links with the vulnerabilities:
[Links visible only for registered users]
[Links visible only for registered users]
[Links visible only for registered users]
[Links visible only for registered users]
That's five vulnerabilities affecting a single plugin, yet Betheme only allows updating Slider Revolution up to version 6.7.58.
Could you please make it possible to update the Slider Revolution plugin through Betheme to a version newer than 7.0.14 so that we are not exposed to these security risks?
Thank you!
Best regards.
Comments
Hello,
Thank you for bringing this to our attention.
We take security concerns very seriously. To clarify how this affects your website and what the current status is regarding the reported Slider Revolution vulnerabilities, please note the following:
Please Note: Because Slider Revolution is a bundled third-party plugin, we are entirely dependent on their development team to release the actual security patches. Until the Slider Revolution team rolls out a new update addressing these specific vulnerabilities, there is unfortunately nothing we can do on our end.
We highly recommend ensuring that you have updated to version 6.7.58 in the meantime. As soon as the plugin authors release a new patch, we will make it available to our users immediately.
Best regards
I understand. What I'm wondering is whether, at some point in the future, Betheme will become compatible with Slider Revolution version 7, especially once they stop providing security support for version 6.
Otherwise, we could end up facing a significant problem.
With Slider Revolution 7, the plugin author has decided to release a version that is not compatible with sliders created in version 6 and limits the number of sliders available under the lifetime license to three. All our demos that use Slider Revolution have been built with SR6, and many of our customers use more than three sliders on their websites.
As a result, we officially supports up to version 6 only, which is provided under the Envato Bundled license, and at the moment we do not have plans to extend the support to version 7.
Best regards