How is CVE-2026-8442 exploited?

Network reachability (required): The vulnerable AJAX handlers are exposed over the network, so an attacker must be able to reach the WordPress site's HTTP/HTTPS endpoint. Authentication (required): A low-privilege WordPress account (subscriber level or above) is sufficient; no admin credentials are needed. Victim interaction (not-required): The attacker sends crafted requests directly to the AJAX handlers; no action from any other user is required. Attack complexity (info): Exploitation is reliable and condition-free; the path traversal payload can be constructed deterministically without race conditions or special environmental setup.

What is the impact of CVE-2026-8442?

Deletes arbitrary files on the server filesystem, including WordPress core files, plugin files, and configuration files. Removes security-enforcing files such as .htaccess, which disables server-level access controls and rewrites. Creates conditions for remote code execution by clearing files that would otherwise block malicious code upload or execution. Causes persistent service disruption by deleting files the application requires to start or respond to requests.

Back to search

HIGHCVE-2026-8442Published 2026-06-16Modified 2026-06-16CNA Wordfence

CVE-2026-8442: WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) Arbitrary File Deletion via 'myaction' Parameter

Q: What is CVE-2026-8442?

Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows any authenticated user with a subscriber-level account to delete files anywhere on the server. The vulnerability is reachable over the network and requires no elevated privileges, only a valid WordPress login. Successful exploitation destroys arbitrary server files and can open the door to remote code execution by removing security-critical files such as .htaccess. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

Q: Is CVE-2026-8442 patched?

No upstream fix version has been published for CVE-2026-8442; HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available immediately once the vendor ships a remediated release. In the meantime, compensating controls such as network-policy restrictions on outbound AJAX endpoints and web application firewall rules blocking path traversal patterns remain available for review within each environment.

The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfb_hide_review and wprp_save_review_admin AJAX handlers combined with insufficient path validation in the wpfb_hidereview_ajax() function, which uses strpos() to check that a stored media URL starts with the expected prefix but fails to sanitize path traversal sequences in the remaining relative path before passing it to unlink(). This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the affected site's server which may make remote code execution possible.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows any authenticated user with a subscriber-level account to delete files anywhere on the server. The vulnerability is reachable over the network and requires no elevated privileges, only a valid WordPress login. Successful exploitation destroys arbitrary server files and can open the door to remote code execution by removing security-critical files such as .htaccess. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-8442 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Wordfence within minutes of publication and matched against customer images and pipeline builds, including custom WordPress-based images. Any image containing WP Review Slider Pro at or below version 12.6.8 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and applies per-environment compliance policy weighting before routing the alert to the appropriate team inbox within each customer organization.

Available

Patch

No upstream fix version has been published for CVE-2026-8442; HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available immediately once the vendor ships a remediated release. In the meantime, compensating controls such as network-policy restrictions on outbound AJAX endpoints and web application firewall rules blocking path traversal patterns remain available for review within each environment.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable AJAX handlers are exposed over the network, so an attacker must be able to reach the WordPress site's HTTP/HTTPS endpoint.
AuthenticationRequired
A low-privilege WordPress account (subscriber level or above) is sufficient; no admin credentials are needed.
Victim interactionNot required
The attacker sends crafted requests directly to the AJAX handlers; no action from any other user is required.
Attack complexityDetail
Exploitation is reliable and condition-free; the path traversal payload can be constructed deterministically without race conditions or special environmental setup.

Blast Radius

Deletes arbitrary files on the server filesystem, including WordPress core files, plugin files, and configuration files.
Removes security-enforcing files such as .htaccess, which disables server-level access controls and rewrites.
Creates conditions for remote code execution by clearing files that would otherwise block malicious code upload or execution.
Causes persistent service disruption by deleting files the application requires to start or respond to requests.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-8442, HarborGuard continuously monitors the Wordfence advisory and vendor release channels on every ingest cycle. The moment a fixed version is published, a patched-image rebuild becomes available, and customers with auto-remediation enabled will receive a rebuilt image, an automated regression test run, and a PR opened against affected workloads. While no fix is available, customers can reduce exposure through compensating controls: applying a web application firewall rule to block path traversal sequences (../) in AJAX request parameters, restricting network-policy access to the WordPress AJAX endpoint to trusted source ranges, and auditing subscriber-level account creation to limit the attacker pool. These control suggestions are available for review within each HarborGuard environment alongside the active finding.

See how HarborGuard automates this

Affected packages

https://wpreviewslider.com/ / WP Review Slider Pro
≤ 12.6.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

Metrics

Get notified