PT-2026-54949 · Https://Wpreviewslider.Com/ · Wp Review Slider Pro
H0Xilo
·
Publicado
2026-07-02
·
Atualizado
2026-07-02
·
CVE-2026-8441
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp load more revs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $ POST['notinstring'] and passed through sanitize text field() — which strips HTML and whitespace but does not provide SQL safety. The value is then concatenated directly into a numeric/unquoted
AND id NOT IN (...) clause and executed via $wpdb->get results() without $wpdb->prepare() or intval() casting. Because the value sits in an unquoted numeric context, WordPress's wp magic quotes protection (which only escapes embedded quotes) is ineffective. The AJAX hook is registered via wp ajax nopriv wprp load more revs, and the required check ajax referer nonce is publicly available via wp localize script on any frontend page that renders the plugin shortcode, so an unauthenticated attacker who can reach a public page hosting the plugin can extract arbitrary data from the database via blind/time-based injection.Correção
SQL injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Wp Review Slider Pro