Skip to main content

WP Review Slider Pro CVE-2026-8441

| EUVDEUVD-2026-41274 HIGH
SQL Injection (CWE-89)
2026-07-02 Wordfence GHSA-cmjq-cjh2-v8q8
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network SQLi via a publicly leaked nonce gives AV:N/AC:L/PR:N/UI:N; read-only blind injection yields C:H with I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:17 vuln.today
CVE Published
Jul 02, 2026 - 09:32 cve.org
HIGH 7.5

DescriptionCVE.org

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp_load_more_revs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $_POST['notinstring'] and passed through sanitize_text_field() - which strips HTML and whitespace but does not provide SQL safety. The value is then concatenated directly into a numeric/unquoted AND id NOT IN (...) clause and executed via $wpdb->get_results() without $wpdb->prepare() or intval() casting. Because the value sits in an unquoted numeric context, WordPress's wp_magic_quotes protection (which only escapes embedded quotes) is ineffective. The AJAX hook is registered via wp_ajax_nopriv_wprp_load_more_revs, and the required check_ajax_referer nonce is publicly available via wp_localize_script on any frontend page that renders the plugin shortcode, so an unauthenticated attacker who can reach a public page hosting the plugin can extract arbitrary data from the database via blind/time-based injection.

AnalysisAI

SQL injection in the WP Review Slider Pro WordPress plugin (versions up to and including 12.7.2) lets unauthenticated attackers extract arbitrary database contents through the 'notinstring' parameter of the wprp_load_more_revs AJAX action. Because the action is exposed via wp_ajax_nopriv and its required nonce is leaked to the frontend through wp_localize_script on any page rendering the plugin shortcode, anyone who can reach a public page hosting the plugin can exploit it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach public page with plugin shortcode
Delivery
Scrape wprp_load_more_revs nonce from page
Exploit
POST crafted notinstring to admin-ajax.php
Execution
Break out of unquoted NOT IN clause
Impact
Extract data via time-based blind injection

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site host a public frontend page rendering the WP Review Slider Pro shortcode, because that page is what exposes the check_ajax_referer nonce via wp_localize_script; with that nonce, the wp_ajax_nopriv_wprp_load_more_revs hook is reachable by unauthenticated visitors. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5) is internally consistent with the description: network-reachable, low complexity, no privileges, no user interaction, high confidentiality impact, and no integrity or availability impact - appropriate for a read-only blind/time-based SQL injection that discloses data but does not modify it. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker browses to a public page that renders the WP Review Slider Pro shortcode, scrapes the wprp_load_more_revs nonce embedded by wp_localize_script, then POSTs a crafted numeric payload in the notinstring parameter to admin-ajax.php. Using blind/time-based boolean conditions they iteratively read sensitive data such as user credentials or secret keys from the WordPress database. …
Remediation No vendor-released patch version was identified in the available data, so administrators should consult the vendor change log at https://wpreviewslider.userecho.com/knowledge-bases/2/articles/88-change-log for a release later than 12.7.2 that fixes the wprp_load_more_revs handler and upgrade to it as the primary remediation, cross-checking against the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/396ba24f-e0f7-4374-a9ce-d9abddb87b39?source=cve. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: scan all WordPress installations for WP Review Slider Pro v12.7.2 or earlier; deactivate and remove the plugin via WordPress admin or file system deletion. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy