PT-2026-54949 · Https://Wpreviewslider.Com/ · Wp Review Slider Pro

H0Xilo

·

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-8441

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp load more revs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $ POST['notinstring'] and passed through sanitize text field() — which strips HTML and whitespace but does not provide SQL safety. The value is then concatenated directly into a numeric/unquoted AND id NOT IN (...) clause and executed via $wpdb->get results() without $wpdb->prepare() or intval() casting. Because the value sits in an unquoted numeric context, WordPress's wp magic quotes protection (which only escapes embedded quotes) is ineffective. The AJAX hook is registered via wp ajax nopriv wprp load more revs, and the required check ajax referer nonce is publicly available via wp localize script on any frontend page that renders the plugin shortcode, so an unauthenticated attacker who can reach a public page hosting the plugin can extract arbitrary data from the database via blind/time-based injection.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8441

Affected Products

Wp Review Slider Pro