Description
The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfb_hide_review and wprp_save_review_admin AJAX handlers combined with insufficient path validation in the wpfb_hidereview_ajax() function, which uses strpos() to check that a stored media URL starts with the expected prefix but fails to sanitize path traversal sequences in the remaining relative path before passing it to unlink(). This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Review Slider Pro plugin contains an authorization flaw that allows authenticated users with subscriber or higher privileges to delete any file on the webserver using the wpfb_hide_review and wprp_save_review_admin AJAX handlers. The flaw stems from insufficient validation of the file path supplied to unlink(), which uses strpos() without sanitizing path traversal sequences. Successful exploitation removes critical files and can create a foothold for remote code execution if the attacker controls the deleted file content or replacement. This represents a serious breach of file system integrity and confidentiality.

Affected Systems

WordPress sites that utilize the WP Review Slider Pro plugin in any version up to and including 12.6.8 are affected. The vulnerability is tied to the plugin’s AJAX functionality and impacts all sites that have the plugin installed regardless of site theme or other plugins.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not yet listed in CISA’s KEV catalog, but the lack of authorization checks combined with path validation weaknesses means that once a subscriber account is compromised, an attacker can delete arbitrary server files. Given the data, the most likely attack vector is internal or authenticated, where a legitimate user can trigger the vulnerable endpoint. Explaination of exploit is limited to the plugin’s unprotected AJAX endpoints and the missing path sanitization that allows deletion of any file reachable by the web process.

Generated by OpenCVE AI on June 16, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Review Slider Pro to version 12.6.9 or newer.
  • Block the wpfb_hide_review and wprp_save_review_admin AJAX actions for subscriber-level users by disabling those actions or adding custom role checks.
  • Use a web application firewall rule to filter or block requests to the vulnerable AJAX endpoints (e.g., admin-ajax.php with the myaction parameter) until a permanent fix is applied.

Generated by OpenCVE AI on June 16, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfb_hide_review and wprp_save_review_admin AJAX handlers combined with insufficient path validation in the wpfb_hidereview_ajax() function, which uses strpos() to check that a stored media URL starts with the expected prefix but fails to sanitize path traversal sequences in the remaining relative path before passing it to unlink(). This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the affected site's server which may make remote code execution possible.
Title WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) Arbitrary File Deletion via 'myaction' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-16T17:10:18.517Z

Reserved: 2026-05-12T19:51:36.538Z

Link: CVE-2026-8442

cve-icon Vulnrichment

Updated: 2026-06-16T14:56:46.444Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T10:16:29.330

Modified: 2026-06-16T15:22:49.577

Link: CVE-2026-8442

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:45:02Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')