PatchSiren cyber security CVE debrief
CVE-2026-6728 Revolution Slider CVE debrief
CVE-2026-6728 is a sensitive information exposure issue in the Slider Revolution WordPress plugin affecting versions up to and including 7.0.9. The issue is tied to the get_stream_data() function and can let unauthenticated attackers extract published password-protected post, page, and product content. The impact is confidentiality-only, but it can still expose content that site owners expected to keep restricted. NVD lists the issue with a medium severity score and a CVSS v3.1 vector consistent with network-reachable, unauthenticated information disclosure.
- Vendor
- Revolution Slider
- Product
- Slider Revolution
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site administrators and security teams running Slider Revolution versions 7.0.9 or earlier should treat this as relevant, especially if the plugin is used to manage or display password-protected posts, pages, or product content.
Technical summary
The vulnerability is a CWE-200 information exposure issue in the Slider Revolution plugin. According to the supplied NVD description, the get_stream_data() function can disclose published password-protected content to unauthenticated attackers. The provided CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating remote, low-complexity access with confidentiality impact only.
Defensive priority
Medium priority: the issue is unauthenticated and remotely reachable, but the documented impact is limited to confidentiality rather than integrity or availability.
Recommended defensive actions
- Update Slider Revolution to a version newer than 7.0.9 as soon as a fixed release is available.
- Inventory WordPress sites that use Slider Revolution and confirm the installed version across all environments.
- Review whether password-protected posts, pages, or product content may have been exposed and re-apply access controls where needed.
- Check for unexpected public access to content that should remain restricted and remove or replace any exposed material.
- Monitor vendor and security advisories referenced by NVD for remediation guidance and version-specific fixes.
Evidence notes
The vulnerability description, affected version range, and attack conditions are taken from the supplied NVD/NVD-derived record for CVE-2026-6728. The record states that Slider Revolution for WordPress versions up to and including 7.0.9 is vulnerable via get_stream_data(), enabling unauthenticated extraction of published password-protected post, page, and product content. NVD metadata also provides the CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N and a CWE-200 classification. The source corpus includes Wordfence-referenced links to the plugin changelog and a Wordfence vulnerability advisory, but the content of those pages was not expanded in the supplied corpus, so only the existence of those references is used here.
Official resources
Publicly listed in the supplied NVD record on 2026-05-20, with the record modified the same day. No CISA KEV inclusion is indicated in the supplied data.