SQL Injection Vulnerability in WP Review Slider Pro Plugin by WordPress
CVE-2026-8441
7.5HIGH
What is CVE-2026-8441?
The WP Review Slider Pro plugin for WordPress has a SQL Injection vulnerability through the 'notinstring' parameter in the wprp_load_more_revs AJAX action. This flaw affects versions up to and including 12.7.2, enabling attackers to exploit the parameter, which is processed without proper SQL safety measures. The lack of sufficient input sanitization and preparation allows unquoted numeric data to be concatenated directly into a SQL query, making the database susceptible to data extraction using blind or time-based injection methods. Since the AJAX hook can be accessed without authentication on public pages, any unauthenticated user can potentially compromise database integrity and confidentiality.
Affected Version(s)
WP Review Slider Pro 0 <= 12.7.2