CVE Catalog

CVE-2026-8441

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile — higher than 29% of all known CVEs

Summary

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter in the wprp_load_more_revs AJAX action. The unsanitized value is concatenated directly into an AND id NOT IN (...) clause, allowing unauthenticated attackers to extract database data.

Risk Assessment

An attacker can exfiltrate sensitive data from the WordPress database, such as user passwords, API keys, or personal data, without authentication. This vulnerability could lead to full site compromise.

Recommendation

Immediately update the WP Review Slider Pro plugin to a version newer than 12.7.2. If no update is available, temporarily disable the plugin or remove public access to the wprp_load_more_revs AJAX action.

Original NVD description (English source)

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp_load_more_revs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $_POST['notinstring'] and passed through sanitize_text_field() — which strips HTML and whitespace but does not provide SQL safety. The value is then concatenated directly into a numeric/unquoted `AND id NOT IN (...)` clause and executed via $wpdb->get_results() without $wpdb->prepare() or intval() casting. Because the value sits in an unquoted numeric context, WordPress's wp_magic_quotes protection (which only escapes embedded quotes) is ineffective. The AJAX hook is registered via wp_ajax_nopriv_wprp_load_more_revs, and the required check_ajax_referer nonce is publicly available via wp_localize_script on any frontend page that renders the plugin shortcode, so an unauthenticated attacker who can reach a public page hosting the plugin can extract arbitrary data from the database via blind/time-based injection.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS