CVE-2026-8443

Vulnerability

The WP Review Slider Pro plugin for WordPress, versions up to and including 12.6.8, contains a SQL Injection vulnerability in the wppro_get_overall_chart_data AJAX action. The stypes and slocations parameters accept JSON strings that are processed with stripslashes() before json_decode(). This removes the escaping added by WordPress's wp_magic_quotes, allowing the decoded array values to be concatenated directly into SQL WHERE clauses without parameterization. The resulting query is executed via $wpdb->get_results() without using $wpdb->prepare(), making the endpoint vulnerable to SQL injection.

Exploitation

An attacker must be authenticated with at least Subscriber-level access to the WordPress site. They can send a crafted POST request to the AJAX endpoint with malicious JSON in the stypes or slocations parameters. The stripslashes() call removes backslashes, enabling the injection of SQL metacharacters. The handler also returns the executed SQL string in its JSON response, which simplifies blind SQL injection by providing immediate feedback. The attacker can append additional SQL queries to the existing query to extract data.

Impact

Successful exploitation allows the attacker to extract sensitive information from the WordPress database, including user credentials, password hashes, and other confidential data. This can lead to privilege escalation and full site compromise. The attacker gains read access to the database, potentially enabling further attacks.

Mitigation

As of the publication date (2026-06-16), no official patch has been released. Users should disable the plugin or restrict access to the AJAX endpoint until a fix is available. Alternatively, implement a Web Application Firewall (WAF) rule to block malicious JSON payloads targeting the vulnerable parameters. Monitor for updates from the vendor.