Skip to main content

Wpreviewslider Com

4 CVEs product

Monthly

CVE-2026-8441 HIGH This Week

SQL injection in the WP Review Slider Pro WordPress plugin (versions up to and including 12.7.2) lets unauthenticated attackers extract arbitrary database contents through the 'notinstring' parameter of the wprp_load_more_revs AJAX action. Because the action is exposed via wp_ajax_nopriv and its required nonce is leaked to the frontend through wp_localize_script on any page rendering the plugin shortcode, anyone who can reach a public page hosting the plugin can exploit it. Reported by Wordfence with a CVSS of 7.5; no public exploit identified at time of analysis.

WordPress SQLi Wpreviewslider Com
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-8442 HIGH This Week

Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authenticated attackers with Subscriber-level access to delete arbitrary files on the underlying server, potentially escalating to remote code execution by removing files such as wp-config.php to trigger the WordPress setup flow. The flaw stems from missing capability checks on two AJAX handlers (wpfb_hide_review and wprp_save_review_admin) combined with a defective strpos()-based prefix check in wpfb_hidereview_ajax() that fails to neutralize path traversal sequences before calling unlink(). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; reported by Wordfence.

Path Traversal WordPress RCE Wpreviewslider Com
NVD VulDB
CVSS 3.1
8.1
EPSS
0.8%
CVE-2026-8444 HIGH This Week

Authenticated SQL injection in the WP Review Slider Pro WordPress plugin through version 12.6.8 lets Subscriber-level users append arbitrary SQL via the wpfb_find_reviews AJAX action, enabling extraction of sensitive database contents including user credentials and secrets. The flaw is reachable by any logged-in WordPress account, which on sites with open registration effectively lowers the bar to near-unauthenticated. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress SQLi Wpreviewslider Com
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-8443 HIGH This Week

SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscriber-level access to inject arbitrary SQL via the 'stypes' and 'slocations' JSON parameters of the wppro_get_overall_chart_data AJAX action. Because the vulnerable handler echoes the executed SQL back in its JSON response, attackers gain a built-in oracle that turns blind injection into a near-trivial database extraction primitive. No public exploit identified at time of analysis, but the very low privilege barrier on a default WordPress install makes any exposed site a realistic target.

WordPress SQLi Oracle Wpreviewslider Com
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the WP Review Slider Pro WordPress plugin (versions up to and including 12.7.2) lets unauthenticated attackers extract arbitrary database contents through the 'notinstring' parameter of the wprp_load_more_revs AJAX action. Because the action is exposed via wp_ajax_nopriv and its required nonce is leaked to the frontend through wp_localize_script on any page rendering the plugin shortcode, anyone who can reach a public page hosting the plugin can exploit it. Reported by Wordfence with a CVSS of 7.5; no public exploit identified at time of analysis.

WordPress SQLi Wpreviewslider Com
NVD VulDB
EPSS 1% CVSS 8.1
HIGH This Week

Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authenticated attackers with Subscriber-level access to delete arbitrary files on the underlying server, potentially escalating to remote code execution by removing files such as wp-config.php to trigger the WordPress setup flow. The flaw stems from missing capability checks on two AJAX handlers (wpfb_hide_review and wprp_save_review_admin) combined with a defective strpos()-based prefix check in wpfb_hidereview_ajax() that fails to neutralize path traversal sequences before calling unlink(). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; reported by Wordfence.

Path Traversal WordPress RCE +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated SQL injection in the WP Review Slider Pro WordPress plugin through version 12.6.8 lets Subscriber-level users append arbitrary SQL via the wpfb_find_reviews AJAX action, enabling extraction of sensitive database contents including user credentials and secrets. The flaw is reachable by any logged-in WordPress account, which on sites with open registration effectively lowers the bar to near-unauthenticated. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress SQLi Wpreviewslider Com
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscriber-level access to inject arbitrary SQL via the 'stypes' and 'slocations' JSON parameters of the wppro_get_overall_chart_data AJAX action. Because the vulnerable handler echoes the executed SQL back in its JSON response, attackers gain a built-in oracle that turns blind injection into a near-trivial database extraction primitive. No public exploit identified at time of analysis, but the very low privilege barrier on a default WordPress install makes any exposed site a realistic target.

WordPress SQLi Oracle +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy