CVE-2026-8444
Received Received - Intake
SQL Injection in WP Review Slider Pro WordPress Plugin

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Wordfence

Description
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( ... )` clause without quoting and executing via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-8444
EUVD
EUVD-2026-37040
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
josh_white wpreviewslider_pro to 12.6.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Review Slider Pro plugin for WordPress has a vulnerability known as SQL Injection in the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to and including 12.6.8.

This happens because the plugin reads the 'curselrevs' POST parameter without sanitizing or type casting it, then directly concatenates each element into a SQL WHERE clause without proper quoting or preparation.

As a result, authenticated attackers with Subscriber-level access or higher can inject additional SQL queries into existing database queries, potentially extracting sensitive information.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive database information.

Since attackers with even low-level authenticated access (Subscriber-level) can exploit it, they may extract confidential data, modify database contents, or disrupt the availability and integrity of the website.

The CVSS score of 8.8 indicates a high severity, meaning the vulnerability can lead to significant confidentiality, integrity, and availability losses.

Compliance Impact

The vulnerability allows authenticated attackers with Subscriber-level access and above to perform SQL Injection attacks that can extract sensitive information from the database.

Such unauthorized access and potential data leakage can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could result in violations of these standards due to compromised confidentiality, integrity, and availability of sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8444. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart