SQL Injection Vulnerability in WP Review Slider Pro Plugin by WordPress
CVE-2026-8441

7.5HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
2 July 2026

What is CVE-2026-8441?

The WP Review Slider Pro plugin for WordPress has a SQL Injection vulnerability through the 'notinstring' parameter in the wprp_load_more_revs AJAX action. This flaw affects versions up to and including 12.7.2, enabling attackers to exploit the parameter, which is processed without proper SQL safety measures. The lack of sufficient input sanitization and preparation allows unquoted numeric data to be concatenated directly into a SQL query, making the database susceptible to data extraction using blind or time-based injection methods. Since the AJAX hook can be accessed without authentication on public pages, any unauthenticated user can potentially compromise database integrity and confidentiality.

Affected Version(s)

WP Review Slider Pro 0 <= 12.7.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

h0xilo
.