Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-8442

CVE-2026-8442: WP Review Slider Pro Path Traversal Flaw

CVE-2026-8442 is a path traversal vulnerability in WP Review Slider Pro for WordPress that enables arbitrary file deletion. Authenticated attackers can exploit this flaw to delete critical files. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-8442 Overview

CVE-2026-8442 is an arbitrary file deletion vulnerability in the WP Review Slider Pro plugin for WordPress, affecting all versions up to and including 12.6.8. The flaw resides in the wpfb_hide_review and wprp_save_review_admin AJAX handlers, which lack authorization checks. The wpfb_hidereview_ajax() function validates stored media URLs using strpos() but fails to sanitize path traversal sequences before passing values to unlink(). Authenticated attackers with subscriber-level access or above can delete arbitrary files on the server. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover and potential remote code execution.

Critical Impact

Authenticated subscribers can delete arbitrary server files, including wp-config.php, leading to site takeover and possible remote code execution.

Affected Products

  • WP Review Slider Pro plugin for WordPress
  • All versions up to and including 12.6.8
  • WordPress sites with subscriber registration or higher-privileged accounts enabled

Discovery Timeline

  • 2026-06-16 - CVE-2026-8442 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-8442

Vulnerability Analysis

The vulnerability is classified as a path traversal flaw [CWE-22] leading to arbitrary file deletion. The WP Review Slider Pro plugin exposes two AJAX endpoints, wpfb_hide_review and wprp_save_review_admin, that process review data including media URLs. These handlers omit capability checks, allowing any authenticated user to invoke them.

The wpfb_hidereview_ajax() function attempts to restrict file operations by verifying that a supplied media URL begins with an expected prefix. It uses strpos() for this prefix comparison, then constructs a file path and passes it to PHP's unlink() function. The check confirms only the leading characters of the input string and does not normalize the trailing path.

Because the relative path portion is never sanitized, attackers can append ../ sequences to traverse outside the plugin's media directory. Successful deletion of wp-config.php causes WordPress to enter its installation routine, allowing an attacker to reconnect the site to an attacker-controlled database and execute arbitrary PHP.

Root Cause

Two defects combine to produce the vulnerability. First, the AJAX handlers are missing authorization and capability validation, exposing privileged functionality to low-privileged users. Second, strpos()-based prefix validation is insufficient as a path safety check because it does not reject ../ traversal segments in the remaining path components.

Attack Vector

Exploitation requires network access and authenticated subscriber-level credentials. The attacker submits a crafted POST request to admin-ajax.php invoking the vulnerable action with a media URL parameter that begins with the expected prefix but includes path traversal sequences. The server resolves the path and deletes the targeted file. No user interaction is required. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2026-8442

Indicators of Compromise

  • POST requests to /wp-admin/admin-ajax.php containing action=wpfb_hide_review or action=wprp_save_review_admin from low-privileged user sessions.
  • Request parameters containing ../ or URL-encoded %2e%2e%2f traversal sequences in media URL fields.
  • Unexpected absence of wp-config.php, .htaccess, or core WordPress files, or WordPress entering the installation setup screen unexpectedly.
  • File deletion events in the WordPress uploads directory or outside the plugin's expected media path.

Detection Strategies

  • Inspect web server access logs for AJAX calls to the affected actions originating from subscriber or contributor accounts.
  • Deploy WordPress security plugins with rules targeting wpfb_hide_review and wprp_save_review_admin traversal attempts.
  • Use file integrity monitoring to alert on deletion of WordPress core files and configuration files.

Monitoring Recommendations

  • Enable verbose logging on admin-ajax.php to capture user ID, action name, and parameter values.
  • Audit registered users and disable open registration where business requirements permit.
  • Monitor for new WordPress installation prompts that may indicate wp-config.php deletion and active takeover attempts.

How to Mitigate CVE-2026-8442

Immediate Actions Required

  • Update WP Review Slider Pro to a version newer than 12.6.8 once the vendor publishes a fixed release.
  • Disable or remove the plugin until a patched version is available if subscriber-level registration is enabled.
  • Review and remove untrusted subscriber, contributor, and author accounts created since plugin installation.
  • Restore any deleted files from backup and rotate database credentials if wp-config.php was removed.

Patch Information

At the time of publication, vendor patch details are referenced through the Wordfence Vulnerability Report and the WPreviewSlider Official Site. Administrators should apply the latest update from the vendor that introduces capability checks on the AJAX handlers and proper path normalization in wpfb_hidereview_ajax().

Workarounds

  • Block requests to admin-ajax.php containing action=wpfb_hide_review or action=wprp_save_review_admin at the web application firewall layer.
  • Restrict new user registration by setting WordPress general settings to disable users_can_register.
  • Enforce file system permissions so the PHP process cannot delete wp-config.php or other sensitive files outside wp-content/uploads.
bash
# Disable open registration via WP-CLI as a temporary mitigation
wp option update users_can_register 0

# Block the vulnerable AJAX actions at the web server (nginx example)
# location = /wp-admin/admin-ajax.php {
#     if ($arg_action ~* "(wpfb_hide_review|wprp_save_review_admin)") {
#         return 403;
#     }
# }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne