Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Network-reachable AJAX endpoint (AV:N), trivial traversal payload (AC:L), Subscriber session required (PR:L), no UI; arbitrary delete breaks integrity and availability without disclosing data.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfb_hide_review and wprp_save_review_admin AJAX handlers combined with insufficient path validation in the wpfb_hidereview_ajax() function, which uses strpos() to check that a stored media URL starts with the expected prefix but fails to sanitize path traversal sequences in the remaining relative path before passing it to unlink(). This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the affected site's server which may make remote code execution possible.
AnalysisAI
Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authenticated attackers with Subscriber-level access to delete arbitrary files on the underlying server, potentially escalating to remote code execution by removing files such as wp-config.php to trigger the WordPress setup flow. The flaw stems from missing capability checks on two AJAX handlers (wpfb_hide_review and wprp_save_review_admin) combined with a defective strpos()-based prefix check in wpfb_hidereview_ajax() that fails to neutralize path traversal sequences before calling unlink(). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; reported by Wordfence.
Technical ContextAI
The vulnerability is a CWE-22 Path Traversal flaw in a commercial WordPress plugin that ingests and displays third-party review content. The wpfb_hidereview_ajax() function attempts to constrain deletions to media URLs under a known prefix by using PHP's strpos() to verify the supplied path starts with that prefix, but it does not canonicalize the remainder of the string or strip '../' sequences before passing the value to unlink(). Because WordPress AJAX endpoints registered with wp_ajax_<action> hooks are reachable by any logged-in user when the action is not gated by current_user_can() or a properly scoped nonce, the missing authorization on wpfb_hide_review and wprp_save_review_admin lets a Subscriber (the lowest authenticated WordPress role, often self-registerable on sites that permit open registration) reach the vulnerable sink. The CPE entry cpe:2.3:a:https://wpreviewslider.com/:wp_review_slider_pro covers all versions through 12.6.8.
RemediationAI
No vendor-released patch identified at time of analysis from the provided references - the Wordfence advisory and vendor site should be consulted directly for a fixed release beyond 12.6.8, and administrators should upgrade as soon as the vendor publishes one. Until a patch is available, disable or remove the WP Review Slider Pro plugin on any site that permits user self-registration, since this transforms the bug from a low-privilege flaw into a near-anonymous one; if removal is not viable, set the 'Anyone can register' option in Settings > General to off and audit existing Subscriber accounts (trade-off: blocks legitimate self-registration flows for membership or WooCommerce customer accounts). As a network-layer mitigation, use a WAF rule to block POST requests to /wp-admin/admin-ajax.php where the action parameter equals wpfb_hide_review or wprp_save_review_admin (trade-off: breaks the plugin's review-hiding workflow for legitimate admins). File-system hardening - making wp-config.php and core WordPress files read-only or owned by a user the PHP process cannot modify - limits the RCE path but does not stop deletion of uploads, themes, or .htaccess.
More in Wpreviewslider Com
View allAuthenticated SQL injection in the WP Review Slider Pro WordPress plugin through version 12.6.8 lets Subscriber-level us
SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscr
SQL injection in the WP Review Slider Pro WordPress plugin (versions up to and including 12.7.2) lets unauthenticated at
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37061
GHSA-h2hx-8pjw-mmmw