Description
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( ... )` clause without quoting and executing via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Review Slider Pro plugin for WordPress contains a SQL Injection vulnerability in the wpfb_find_reviews AJAX action. The 'curselrevs[]' parameter is concatenated directly into a SQL statement without sanitization or quoting, allowing an attacker with Subscriber-level access or higher to inject additional SQL statements. This flaw can be leveraged to read arbitrary data from the database, exposing sensitive information such as user credentials, post content, or configuration settings. The weakness is categorized as CWE‑89.

Affected Systems

All installations of WP Review Slider Pro version 12.6.8 or earlier on a WordPress site are affected. Any user role with Subscriber or higher permission that can trigger the wpfb_find_reviews AJAX request is at risk. The plugin applies to the standard WordPress environment where the plugin is active.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild at this time. It is not listed in the CISA KEV catalog, so there is no evidence of active exploitation campaigns yet. Attackers would need valid WordPress credentials and permission to execute AJAX requests; the vulnerability does not allow unauthenticated or remote code execution. Nonetheless, the ability to exfiltrate database content poses significant confidentiality and integrity risks.

Generated by OpenCVE AI on June 16, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Review Slider Pro to version 12.6.9 or later as soon as the vendor releases a fix.
  • If an upgrade is not immediately possible, modify the plugin or add custom code to sanitize the 'curselrevs' parameter and quote values before executing the query, or disable the vulnerable AJAX action for users below administrator level.
  • Review WordPress user role assignments and restrict subscriber permissions to prevent the triggering of vulnerable AJAX calls; consider limiting AJAX accessibility to administrators only.

Generated by OpenCVE AI on June 16, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( ... )` clause without quoting and executing via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) SQL Injection via 'curselrevs' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-16T13:56:17.761Z

Reserved: 2026-05-12T20:21:10.283Z

Link: CVE-2026-8444

cve-icon Vulnrichment

Updated: 2026-06-16T13:56:14.011Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T08:16:24.100

Modified: 2026-06-16T15:22:49.577

Link: CVE-2026-8444

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:30:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')