CVE-2026-8443
Received Received - Intake
SQL Injection in WP Review Slider Pro Plugin

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Wordfence

Description
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strings prior to json_decode(), which removes the escaping applied by WordPress's wp_magic_quotes; the resulting decoded array values are then concatenated directly into SQL WHERE clauses without parameterization, and the constructed query is executed via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The handler also returns the executed SQL string in its JSON response, which simplifies oracle construction for blind exploitation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-8443
EUVD
EUVD-2026-37037
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
josh_white wpreviewslider_pro to 12.6.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Review Slider Pro plugin for WordPress has a vulnerability known as SQL Injection in its versions up to and including 12.6.8. This occurs through the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action. The issue arises because the plugin uses stripslashes() on user-supplied JSON strings before decoding them, which removes necessary escaping. The decoded data is then directly concatenated into SQL WHERE clauses without proper parameterization or preparation, allowing attackers to inject malicious SQL queries.

Authenticated users with Subscriber-level access or higher can exploit this vulnerability to append additional SQL queries to existing ones. This can be used to extract sensitive information from the database. Additionally, the plugin returns the executed SQL string in its JSON response, which makes it easier for attackers to perform blind SQL injection attacks.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive database information. Attackers with even low-level authenticated access can exploit the SQL Injection flaw to extract confidential data, potentially compromising user data, site content, and other sensitive information stored in the database.

Because the vulnerability allows execution of arbitrary SQL queries, it can also lead to data manipulation or deletion, affecting the integrity and availability of the website's data. This can result in loss of customer trust, damage to the website's reputation, and potential financial losses.

Detection Guidance

This vulnerability can be detected by monitoring AJAX requests to the wppro_get_overall_chart_data action in the WP Review Slider Pro plugin, specifically looking for the 'stypes' and 'slocations' parameters being used in requests.

Since the vulnerability involves SQL Injection via these parameters, detection can involve inspecting HTTP requests for suspicious or malformed input in these parameters.

Additionally, because the handler returns the executed SQL string in its JSON response, analyzing responses for unexpected SQL query strings can help identify exploitation attempts.

  • Use network monitoring tools (e.g., Wireshark, tcpdump) to capture HTTP POST requests to admin-ajax.php with the action=wppro_get_overall_chart_data.
  • Use curl or wget commands to manually test the endpoint, for example:
  • curl -X POST -d 'action=wppro_get_overall_chart_data&stypes=[test]&slocations=[test]' https://yourwordpresssite.com/wp-admin/admin-ajax.php -v
  • Look for SQL error messages or unexpected SQL query strings in the JSON response.
  • Check WordPress logs or database logs for suspicious queries that include injected SQL code.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WP Review Slider Pro plugin to a version later than 12.6.8 where this SQL Injection vulnerability is fixed.

If an update is not immediately available, restrict access to the vulnerable AJAX action by limiting authenticated user roles that can access it, since the vulnerability requires Subscriber-level access or higher.

Additionally, consider implementing Web Application Firewall (WAF) rules to block suspicious requests targeting the 'wppro_get_overall_chart_data' AJAX action with unusual 'stypes' or 'slocations' parameters.

Monitor logs for exploitation attempts and consider temporarily disabling the plugin if the risk is high and no patch is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8443. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart