CVE-2026-8442

Vulnerability

The WP Review Slider Pro plugin for WordPress versions up to and including 12.6.8 contains an arbitrary file deletion vulnerability. The flaw resides in the wpfb_hide_review and wprp_save_review_admin AJAX handlers. The wpfb_hidereview_ajax() function checks that a stored media URL starts with an expected prefix using strpos() but fails to sanitize path traversal sequences in the remaining relative path before passing it to unlink(). This allows an authenticated attacker with subscriber-level access or above to delete arbitrary files on the server.

Exploitation

An attacker needs subscriber-level access to the WordPress site. By sending crafted AJAX requests to the vulnerable handlers, the attacker can supply a file path containing ../ sequences that bypass the prefix check and reach arbitrary files outside the intended directory. The lack of authorization checks on the AJAX handlers makes this possible for any authenticated user.

Impact

Successful exploitation allows an attacker to delete arbitrary files, including critical system files such as wp-config.php or executable files. Deleting certain files could lead to denial of service or, in combination with other vulnerabilities, enable remote code execution. The CVSS v3 score is 8.1 (High).

Mitigation

The vendor has not yet released a patched version as of the publication date (2026-06-16). Website administrators should restrict subscriber-level access, monitor for unusual AJAX activity, and apply updates as soon as they become available. The plugin homepage [1] may provide future updates.