平台
wordpress
组件
slider-revolution
修复版本
6.7.37
CVE-2025-9217 is an Arbitrary File Access vulnerability affecting the Slider Revolution plugin for WordPress. This vulnerability allows authenticated attackers with Contributor-level access or higher to read arbitrary files on the server, potentially exposing sensitive information. The vulnerability impacts versions 0.0.0 through 6.7.36, and a fix is available in version 6.7.37.
An attacker exploiting CVE-2025-9217 can leverage the 'usedsvg' and 'usedimages' parameters to read files outside of the intended directory. This is a classic path traversal vulnerability. Successful exploitation could lead to the exposure of configuration files, database credentials, source code, or other sensitive data stored on the server. The impact is amplified if the WordPress instance hosts other applications or services, as the attacker could potentially gain access to their data as well. The requirement for Contributor-level access limits the immediate impact, but it does mean that a relatively low-privilege user within the WordPress environment could potentially trigger this vulnerability.
CVE-2025-9217 was publicly disclosed on 2025-08-29. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. The relatively low CVSS score suggests a moderate probability of exploitation, particularly if the plugin is widely deployed and the server is publicly accessible.
WordPress websites utilizing the Slider Revolution plugin, particularly those with publicly accessible instances and those granting Contributor-level users broad file access privileges, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the exposure of data from other sites.
• wordpress / composer / npm:
grep -r 'used_svg\)\.\.\.' /var/www/html/wp-content/plugins/slider-revolution/• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/slider-revolution/used_svg../etc/passwd' # Check for file accessdisclosure
漏洞利用状态
EPSS
0.06% (19% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-9217 is to immediately upgrade the Slider Revolution plugin to version 6.7.37 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting file access permissions on the server to limit the potential damage. While not a complete solution, implementing a Web Application Firewall (WAF) with path traversal rules can help block malicious requests targeting the vulnerable parameters. Regularly review WordPress user roles and permissions to ensure that only necessary privileges are granted.
Actualice el plugin Slider Revolution a la versión 6.7.37 o superior para mitigar la vulnerabilidad de Path Traversal. Asegúrese de que su instalación de WordPress esté actualizada y que se apliquen las mejores prácticas de seguridad, como el uso de contraseñas seguras y la limitación de los privilegios de usuario.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-9217 is a vulnerability in the Slider Revolution WordPress plugin allowing authenticated users to read arbitrary files on the server. It affects versions 0.0.0–6.7.36 and has a Medium severity rating.
You are affected if your WordPress site uses the Slider Revolution plugin and is running version 6.7.36 or earlier. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Slider Revolution plugin to version 6.7.37 or later to resolve the vulnerability. If upgrading is not possible, consider implementing WAF rules and restricting file access permissions.
As of 2025-08-29, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official Slider Revolution website and WordPress plugin repository for the latest security advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。