CVE-2026-8441
Received Received - Intake

SQL Injection in WP Review Slider Pro WordPress Plugin

Vulnerability report for CVE-2026-8441, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Wordfence

Description

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp_load_more_revs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $_POST['notinstring'] and passed through sanitize_text_field() β€” which strips HTML and whitespace but does not provide SQL safety. The value is then concatenated directly into a numeric/unquoted `AND id NOT IN (...)` clause and executed via $wpdb->get_results() without $wpdb->prepare() or intval() casting. Because the value sits in an unquoted numeric context, WordPress's wp_magic_quotes protection (which only escapes embedded quotes) is ineffective. The AJAX hook is registered via wp_ajax_nopriv_wprp_load_more_revs, and the required check_ajax_referer nonce is publicly available via wp_localize_script on any frontend page that renders the plugin shortcode, so an unauthenticated attacker who can reach a public page hosting the plugin can extract arbitrary data from the database via blind/time-based injection.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_review_slider wp_review_slider_pro to 12.7.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WP Review Slider Pro plugin for WordPress has a SQL Injection vulnerability in the 'notinstring' parameter of the wprp_load_more_revs AJAX action in versions up to and including 12.7.2.

This parameter is read from a POST request and sanitized using sanitize_text_field(), which removes HTML and whitespace but does not prevent SQL injection.

The sanitized value is then directly concatenated into an unquoted numeric SQL clause without proper preparation or casting, making WordPress's usual protections ineffective.

Because the AJAX action is accessible without authentication and the required nonce is publicly available on any frontend page with the plugin shortcode, an attacker can exploit this to extract arbitrary data from the database using blind or time-based SQL injection.

Impact Analysis

This vulnerability allows an unauthenticated attacker to perform SQL Injection attacks on the WordPress site's database.

The attacker can extract arbitrary data from the database without authorization by exploiting the injection flaw.

The CVSS score of 7.5 indicates a high severity impact, specifically compromising confidentiality (C:H) without affecting integrity or availability.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious AJAX requests to the wprp_load_more_revs action, specifically POST requests containing the 'notinstring' parameter. Since the vulnerability involves SQL Injection via this parameter, detection involves identifying unusual or malformed input in these requests.

You can use network monitoring tools or web server logs to filter for POST requests to admin-ajax.php with the action=wprp_load_more_revs and inspect the 'notinstring' parameter for suspicious payloads.

Example commands to detect such activity might include:

  • Using grep on web server logs to find relevant AJAX calls: grep 'action=wprp_load_more_revs' /var/log/apache2/access.log
  • Using tcpdump or tshark to capture HTTP POST requests containing 'notinstring': tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'notinstring'
  • Using WP-CLI or custom scripts to audit plugin versions and check if the installed version is vulnerable (up to and including 12.7.2).
Mitigation Strategies

The immediate mitigation step is to update the WP Review Slider Pro plugin to a version later than 12.7.2 where this vulnerability is fixed.

If an update is not immediately possible, consider temporarily disabling the plugin or restricting access to the AJAX action 'wprp_load_more_revs' to authenticated users only, to prevent unauthenticated exploitation.

Additionally, monitor your logs for suspicious activity targeting this vulnerability and apply web application firewall (WAF) rules to block malicious payloads targeting the 'notinstring' parameter.

Compliance Impact

The vulnerability allows an unauthenticated attacker to perform SQL Injection and extract arbitrary data from the database via blind/time-based injection.

Such unauthorized data access could lead to exposure of sensitive personal or protected health information, potentially violating data protection regulations such as GDPR and HIPAA.

Therefore, exploitation of this vulnerability may result in non-compliance with these common standards and regulations due to compromised confidentiality and data breach risks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8441. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart