HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-8444Published Modified CNA Wordfence

CVE-2026-8444: WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) SQL Injection via 'curselrevs' Parameter

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( ... )` clause without quoting and executing via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a SQL injection vulnerability in the WP Review Slider Pro plugin for WordPress, affecting all versions up to and including 12.6.8. The plugin reads the 'curselrevs[]' POST parameter without sanitization and concatenates it directly into a SQL query, allowing an attacker with a low-privilege WordPress account (Subscriber level or higher) to inject arbitrary SQL. Successful exploitation lets an attacker extract sensitive data from the WordPress database, including user credentials, session tokens, and any other stored content. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-8444 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Wordfence, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. This matching covers custom-built images that bundle the WP Review Slider Pro plugin alongside WordPress.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published for CVE-2026-8444, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the plugin vendor ships a remediated release. In the interim, compensating controls are available to limit exposure while the vulnerability remains unpatched.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable AJAX endpoint is reachable over the network, so the attacker must be able to send HTTP requests to the WordPress installation.

  • AuthenticationRequired

    A low-privilege WordPress account at Subscriber level or above is sufficient to trigger the vulnerable AJAX action.

  • Victim interactionNot required

    No user interaction is needed; the attacker sends a crafted POST request directly to the endpoint without involving any other party.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker only needs to supply a malformed array value in the 'curselrevs[]' parameter.

Blast Radius

  • Reads any data stored in the WordPress database, including hashed passwords, email addresses, and private post content.
  • Extracts active session tokens or authentication keys, which can enable account takeover without needing a password.
  • Reads plugin and theme configuration tables, potentially exposing API keys or third-party service credentials stored in WordPress options.
  • Depending on database user privileges, may read data from other database schemas co-hosted on the same MySQL instance.

How HarborGuard Handles This

Available on HarborGuard: because no patch has been released for CVE-2026-8444, HarborGuard continuously monitors the Wordfence advisory on every ingest cycle and will surface a patched-image rebuild the moment the WP Review Slider Pro plugin ships a fixed version. While the vulnerability is unpatched, customers can apply compensating controls through HarborGuard policy configuration: network-policy isolation restricting which sources can reach the WordPress AJAX endpoint (wp-admin/admin-ajax.php), egress filtering on the database host to limit lateral movement if SQL injection is achieved, and a review of whether Subscriber-level registration is necessary in affected WordPress environments. Where compliance policy permits, auto-remediation will trigger a rebuild, regression test run, and a PR opened against affected workloads as soon as a fix version becomes available upstream.

See how HarborGuard automates this
Affected packages
  • https://wpreviewslider.com/ / WP Review Slider Pro
    ≤ 12.6.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References