CVE-2026-8444

Vulnerability

The WP Review Slider Pro plugin for WordPress versions up to and including 12.6.8 contains a SQL injection vulnerability in the wpfb_find_reviews AJAX action. The handler reads the $_POST['curselrevs'] parameter without sanitization or type casting, then concatenates each array element directly into a WHERE id IN ( ... ) clause without quoting and executes via $wpdb->get_results() without using $wpdb->prepare(). This allows an attacker to inject arbitrary SQL. [1]

Exploitation

An attacker must be authenticated with at least Subscriber-level access to the WordPress site. The attacker sends a crafted POST request to the AJAX action wpfb_find_reviews with the curselrevs[] parameter containing malicious SQL payloads. The lack of parameterized queries means the injected SQL is executed directly.

Impact

Successful exploitation allows the attacker to append additional SQL queries to the existing query, enabling extraction of sensitive information from the WordPress database, such as user credentials, session tokens, or other confidential data. The attacker gains read access to the database, potentially leading to further compromise.

Mitigation

The vendor has not released a patched version as of the publication date (2026-06-16). Users should upgrade to a version beyond 12.6.8 once available. If no update is provided, consider disabling the AJAX action or applying a Web Application Firewall (WAF) rule to block malicious input to the curselrevs[] parameter. The plugin's product page [1] may provide future updates.