Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable AJAX endpoint (AV:N), no special complexity (AC:L), Subscriber account required (PR:L), no user interaction (UI:N), full DB read/write/destroy via SQLi (C/I/A:H).
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strings prior to json_decode(), which removes the escaping applied by WordPress's wp_magic_quotes; the resulting decoded array values are then concatenated directly into SQL WHERE clauses without parameterization, and the constructed query is executed via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The handler also returns the executed SQL string in its JSON response, which simplifies oracle construction for blind exploitation.
AnalysisAI
SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscriber-level access to inject arbitrary SQL via the 'stypes' and 'slocations' JSON parameters of the wppro_get_overall_chart_data AJAX action. Because the vulnerable handler echoes the executed SQL back in its JSON response, attackers gain a built-in oracle that turns blind injection into a near-trivial database extraction primitive. No public exploit identified at time of analysis, but the very low privilege barrier on a default WordPress install makes any exposed site a realistic target.
Technical ContextAI
The plugin's AJAX endpoint accepts JSON-encoded arrays in the 'stypes' and 'slocations' POST parameters. WordPress's wp_magic_quotes automatically backslash-escapes incoming superglobal data, but the handler calls stripslashes() on these strings before passing them to json_decode(), undoing the platform's escaping. The decoded array elements are then concatenated directly into a WHERE clause and executed through $wpdb->get_results() without ever going through $wpdb->prepare() or wpdb::esc_like(), satisfying the classic CWE-89 pattern of tainted data reaching a SQL sink without parameterization. The CPE 'cpe:2.3:a:https://wpreviewslider.com/:wp_review_slider_pro:*' covers all versions up to and including 12.6.8.
RemediationAI
No vendor-released patch version was provided in the available data, so the immediate action is to consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/1055bba0-7dbd-4382-afaf-ecea442c527c?source=cve) and the vendor at https://wpreviewslider.com/ for a release greater than 12.6.8 and upgrade as soon as one is published. As compensating controls until a fixed build is installed: disable open user registration in WordPress (Settings → General, uncheck 'Anyone can register') to remove the Subscriber-account precondition, with the side effect that legitimate self-service signups are blocked; block or rate-limit POST requests to /wp-admin/admin-ajax.php with action=wppro_get_overall_chart_data at a WAF, accepting that any in-product chart features relying on that action will break; and as a last resort deactivate the plugin entirely, which removes the front-end review slider widgets. Audit existing Subscriber accounts and database logs for suspicious SELECTs against wp_users/wp_usermeta and rotate secrets if compromise is suspected.
More in Wpreviewslider Com
View allAuthenticated SQL injection in the WP Review Slider Pro WordPress plugin through version 12.6.8 lets Subscriber-level us
Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authen
SQL injection in the WP Review Slider Pro WordPress plugin (versions up to and including 12.7.2) lets unauthenticated at
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37037
GHSA-m8xj-3v37-wrp9