CVE-2014-9734

EXPLOITED

Slider Revolution <4.2 - Path Traversal

Title source: llm

Exploitation Summary

CVE-2014-9734 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Hugo Santiago.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file download vulnerability in multiple WordPress themes by leveraging a path traversal flaw in the 'revslider_show_image' action parameter. The PoC allows unauthorized access to sensitive files like 'wp-config.php'.

Description

Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Hugo Santiago · textwebappsphp

https://www.exploit-db.com/exploits/34511

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file download vulnerability in multiple WordPress themes by leveraging a path traversal flaw in the 'revslider_show_image' action parameter. The PoC allows unauthorized access to sensitive files like 'wp-config.php'.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WordPress themes (CuckooTap, eShop, IncredibleWP, Ultimatum, Medicate, Centum, Avada, Striking, Beach Apollo)

No auth needed

Prerequisites: WordPress site with vulnerable theme installed · Access to the target's admin-ajax.php endpoint

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/36554