Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network SQLi via a publicly leaked nonce gives AV:N/AC:L/PR:N/UI:N; read-only blind injection yields C:H with I:N/A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp_load_more_revs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $_POST['notinstring'] and passed through sanitize_text_field() - which strips HTML and whitespace but does not provide SQL safety. The value is then concatenated directly into a numeric/unquoted AND id NOT IN (...) clause and executed via $wpdb->get_results() without $wpdb->prepare() or intval() casting. Because the value sits in an unquoted numeric context, WordPress's wp_magic_quotes protection (which only escapes embedded quotes) is ineffective. The AJAX hook is registered via wp_ajax_nopriv_wprp_load_more_revs, and the required check_ajax_referer nonce is publicly available via wp_localize_script on any frontend page that renders the plugin shortcode, so an unauthenticated attacker who can reach a public page hosting the plugin can extract arbitrary data from the database via blind/time-based injection.
AnalysisAI
SQL injection in the WP Review Slider Pro WordPress plugin (versions up to and including 12.7.2) lets unauthenticated attackers extract arbitrary database contents through the 'notinstring' parameter of the wprp_load_more_revs AJAX action. Because the action is exposed via wp_ajax_nopriv and its required nonce is leaked to the frontend through wp_localize_script on any page rendering the plugin shortcode, anyone who can reach a public page hosting the plugin can exploit it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WordPress site host a public frontend page rendering the WP Review Slider Pro shortcode, because that page is what exposes the check_ajax_referer nonce via wp_localize_script; with that nonce, the wp_ajax_nopriv_wprp_load_more_revs hook is reachable by unauthenticated visitors. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5) is internally consistent with the description: network-reachable, low complexity, no privileges, no user interaction, high confidentiality impact, and no integrity or availability impact - appropriate for a read-only blind/time-based SQL injection that discloses data but does not modify it. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker browses to a public page that renders the WP Review Slider Pro shortcode, scrapes the wprp_load_more_revs nonce embedded by wp_localize_script, then POSTs a crafted numeric payload in the notinstring parameter to admin-ajax.php. Using blind/time-based boolean conditions they iteratively read sensitive data such as user credentials or secret keys from the WordPress database. … |
| Remediation | No vendor-released patch version was identified in the available data, so administrators should consult the vendor change log at https://wpreviewslider.userecho.com/knowledge-bases/2/articles/88-change-log for a release later than 12.7.2 that fixes the wprp_load_more_revs handler and upgrade to it as the primary remediation, cross-checking against the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/396ba24f-e0f7-4374-a9ce-d9abddb87b39?source=cve. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: scan all WordPress installations for WP Review Slider Pro v12.7.2 or earlier; deactivate and remove the plugin via WordPress admin or file system deletion. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wpreviewslider Com
View allAuthenticated SQL injection in the WP Review Slider Pro WordPress plugin through version 12.6.8 lets Subscriber-level us
SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscr
Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authen
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41274
GHSA-cmjq-cjh2-v8q8