Skip to main content

WP Review Slider Pro CVE-2026-8443

| EUVDEUVD-2026-37037 HIGH
SQL Injection (CWE-89)
2026-06-16 Wordfence GHSA-m8xj-3v37-wrp9
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable AJAX endpoint (AV:N), no special complexity (AC:L), Subscriber account required (PR:L), no user interaction (UI:N), full DB read/write/destroy via SQLi (C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 06:20 vuln.today
CVE Published
Jun 16, 2026 - 05:33 cve.org
HIGH 8.8

DescriptionNVD

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strings prior to json_decode(), which removes the escaping applied by WordPress's wp_magic_quotes; the resulting decoded array values are then concatenated directly into SQL WHERE clauses without parameterization, and the constructed query is executed via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The handler also returns the executed SQL string in its JSON response, which simplifies oracle construction for blind exploitation.

AnalysisAI

SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscriber-level access to inject arbitrary SQL via the 'stypes' and 'slocations' JSON parameters of the wppro_get_overall_chart_data AJAX action. Because the vulnerable handler echoes the executed SQL back in its JSON response, attackers gain a built-in oracle that turns blind injection into a near-trivial database extraction primitive. No public exploit identified at time of analysis, but the very low privilege barrier on a default WordPress install makes any exposed site a realistic target.

Technical ContextAI

The plugin's AJAX endpoint accepts JSON-encoded arrays in the 'stypes' and 'slocations' POST parameters. WordPress's wp_magic_quotes automatically backslash-escapes incoming superglobal data, but the handler calls stripslashes() on these strings before passing them to json_decode(), undoing the platform's escaping. The decoded array elements are then concatenated directly into a WHERE clause and executed through $wpdb->get_results() without ever going through $wpdb->prepare() or wpdb::esc_like(), satisfying the classic CWE-89 pattern of tainted data reaching a SQL sink without parameterization. The CPE 'cpe:2.3:a:https://wpreviewslider.com/:wp_review_slider_pro:*' covers all versions up to and including 12.6.8.

RemediationAI

No vendor-released patch version was provided in the available data, so the immediate action is to consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/1055bba0-7dbd-4382-afaf-ecea442c527c?source=cve) and the vendor at https://wpreviewslider.com/ for a release greater than 12.6.8 and upgrade as soon as one is published. As compensating controls until a fixed build is installed: disable open user registration in WordPress (Settings → General, uncheck 'Anyone can register') to remove the Subscriber-account precondition, with the side effect that legitimate self-service signups are blocked; block or rate-limit POST requests to /wp-admin/admin-ajax.php with action=wppro_get_overall_chart_data at a WAF, accepting that any in-product chart features relying on that action will break; and as a last resort deactivate the plugin entirely, which removes the front-end review slider widgets. Audit existing Subscriber accounts and database logs for suspicious SELECTs against wp_users/wp_usermeta and rotate secrets if compromise is suspected.

Share

CVE-2026-8443 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy