HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-8443Published Modified CNA Wordfence

CVE-2026-8443: WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) SQL Injection via 'stypes' Parameter

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strings prior to json_decode(), which removes the escaping applied by WordPress's wp_magic_quotes; the resulting decoded array values are then concatenated directly into SQL WHERE clauses without parameterization, and the constructed query is executed via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The handler also returns the executed SQL string in its JSON response, which simplifies oracle construction for blind exploitation.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authenticated SQL injection vulnerability in the WP Review Slider Pro WordPress plugin, affecting all versions up to and including 12.6.8. The flaw is reachable over the network by any logged-in user with at least a Subscriber-level account, meaning no elevated privileges are needed. Successful exploitation lets an attacker extract arbitrary data from the WordPress database, modify stored data, and disrupt data availability. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence and NVD) within minutes of publication and matched against customer images and registries, including custom-built WordPress images that bundle this plugin. Any image layer containing WP Review Slider Pro at or below version 12.6.8 is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 8.8 (HIGH) and applies per-environment compliance policy weighting to determine urgency and routing. Triage alerts are directed to the appropriate team inbox within each customer organization based on the workload type and policy configuration.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the Wordfence and NVD advisory feeds each ingest cycle and will make a patched-image rebuild available the moment the vendor ships a corrected release. In the interim, customers can use HarborGuard's compensating-control recommendations to apply network-policy isolation or restrict AJAX endpoint exposure at the ingress layer.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable AJAX action is exposed over the network via HTTP, so an attacker must be able to reach the WordPress installation across the internet or an internal network.

  • AuthenticationRequired

    A valid WordPress account at Subscriber level or above is required; any low-privilege registered account is sufficient to trigger the vulnerable endpoint.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends crafted requests directly to the AJAX handler without involving any other user.

  • Attack complexityDetail

    Attack complexity is low: the exploit is reliable and condition-free, and the handler leaks the constructed SQL string in its JSON response, which further simplifies blind injection enumeration.

Blast Radius

  • Reads arbitrary database tables, including WordPress user credentials (hashed passwords), email addresses, session tokens, and plugin configuration data.
  • Reads sensitive application records such as stored reviews, business data, and any custom post-type content held in the database.
  • Modifies persisted database rows, including user roles, plugin settings, or site options, by appending write-capable SQL statements.
  • Disrupts data integrity or availability by injecting destructive SQL that corrupts or deletes table contents.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for CVE-2026-8443, HarborGuard continuously monitors the Wordfence and NVD advisory feeds and will surface a patched-image rebuild the moment the vendor publishes a corrected release. Until then, customers running container images that bundle WP Review Slider Pro at or below 12.6.8 are advised to apply compensating controls: use Kubernetes NetworkPolicy or ingress-layer rules to restrict access to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) to known, trusted IP ranges; consider feature-flag gating or plugin deactivation if the charting functionality is non-essential; and ensure WordPress user registration is disabled or restricted to prevent opportunistic account creation. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically once an upstream patch is available, with no manual intervention required.

See how HarborGuard automates this
Affected packages
  • https://wpreviewslider.com/ / WP Review Slider Pro
    ≤ 12.6.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References