Skip to main content

WP Review Slider Pro EUVDEUVD-2026-37061

| CVE-2026-8442 HIGH
Path Traversal (CWE-22)
2026-06-16 Wordfence GHSA-h2hx-8pjw-mmmw
8.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable AJAX endpoint (AV:N), trivial traversal payload (AC:L), Subscriber session required (PR:L), no UI; arbitrary delete breaks integrity and availability without disclosing data.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 10:20 vuln.today
CVE Published
Jun 16, 2026 - 09:31 cve.org
HIGH 8.1

DescriptionNVD

The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfb_hide_review and wprp_save_review_admin AJAX handlers combined with insufficient path validation in the wpfb_hidereview_ajax() function, which uses strpos() to check that a stored media URL starts with the expected prefix but fails to sanitize path traversal sequences in the remaining relative path before passing it to unlink(). This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the affected site's server which may make remote code execution possible.

AnalysisAI

Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authenticated attackers with Subscriber-level access to delete arbitrary files on the underlying server, potentially escalating to remote code execution by removing files such as wp-config.php to trigger the WordPress setup flow. The flaw stems from missing capability checks on two AJAX handlers (wpfb_hide_review and wprp_save_review_admin) combined with a defective strpos()-based prefix check in wpfb_hidereview_ajax() that fails to neutralize path traversal sequences before calling unlink(). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; reported by Wordfence.

Technical ContextAI

The vulnerability is a CWE-22 Path Traversal flaw in a commercial WordPress plugin that ingests and displays third-party review content. The wpfb_hidereview_ajax() function attempts to constrain deletions to media URLs under a known prefix by using PHP's strpos() to verify the supplied path starts with that prefix, but it does not canonicalize the remainder of the string or strip '../' sequences before passing the value to unlink(). Because WordPress AJAX endpoints registered with wp_ajax_<action> hooks are reachable by any logged-in user when the action is not gated by current_user_can() or a properly scoped nonce, the missing authorization on wpfb_hide_review and wprp_save_review_admin lets a Subscriber (the lowest authenticated WordPress role, often self-registerable on sites that permit open registration) reach the vulnerable sink. The CPE entry cpe:2.3:a:https://wpreviewslider.com/:wp_review_slider_pro covers all versions through 12.6.8.

RemediationAI

No vendor-released patch identified at time of analysis from the provided references - the Wordfence advisory and vendor site should be consulted directly for a fixed release beyond 12.6.8, and administrators should upgrade as soon as the vendor publishes one. Until a patch is available, disable or remove the WP Review Slider Pro plugin on any site that permits user self-registration, since this transforms the bug from a low-privilege flaw into a near-anonymous one; if removal is not viable, set the 'Anyone can register' option in Settings > General to off and audit existing Subscriber accounts (trade-off: blocks legitimate self-registration flows for membership or WooCommerce customer accounts). As a network-layer mitigation, use a WAF rule to block POST requests to /wp-admin/admin-ajax.php where the action parameter equals wpfb_hide_review or wprp_save_review_admin (trade-off: breaks the plugin's review-hiding workflow for legitimate admins). File-system hardening - making wp-config.php and core WordPress files read-only or owned by a user the PHP process cannot modify - limits the RCE path but does not stop deletion of uploads, themes, or .htaccess.

Share

EUVD-2026-37061 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy