CVE-2026-8442
Received Received - Intake
Arbitrary File Deletion in WP Review Slider Pro Plugin

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Wordfence

Description
The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfb_hide_review and wprp_save_review_admin AJAX handlers combined with insufficient path validation in the wpfb_hidereview_ajax() function, which uses strpos() to check that a stored media URL starts with the expected prefix but fails to sanitize path traversal sequences in the remaining relative path before passing it to unlink(). This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-8442
EUVD
EUVD-2026-37061
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_review_slider_pro wp_review_slider_pro to 12.6.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Review Slider Pro plugin for WordPress has a vulnerability in versions up to and including 12.6.8 that allows arbitrary file deletion. This happens because certain AJAX handlers (wpfb_hide_review and wprp_save_review_admin) lack proper authorization checks. Additionally, the function wpfb_hidereview_ajax() uses a weak method (strpos()) to verify media URLs but does not properly sanitize path traversal sequences in the file path before deleting files with unlink().

As a result, authenticated users with subscriber-level access or higher can delete arbitrary files on the server hosting the affected site.

Impact Analysis

This vulnerability can have serious impacts because it allows attackers with low-level authenticated access to delete any file on the server. This could lead to loss of important data or website files.

Moreover, deleting critical files may enable remote code execution, which means attackers could potentially take full control of the affected website or server.

Compliance Impact

The vulnerability allows authenticated attackers with subscriber-level access and above to delete arbitrary files on the affected site's server, potentially leading to remote code execution.

Such unauthorized file deletion and potential remote code execution could compromise the integrity and availability of data, which are critical aspects of compliance with standards like GDPR and HIPAA.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8442. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart