CVE-2026-8443: WP Review Slider Pro SQL Injection Flaw

CVE-2026-8443 Overview

CVE-2026-8443 is an authenticated SQL injection vulnerability in the WP Review Slider Pro plugin for WordPress, affecting all versions up to and including 12.6.8. The flaw resides in the wppro_get_overall_chart_data AJAX action, where the stypes and slocations parameters are concatenated into SQL WHERE clauses without parameterization. Attackers with Subscriber-level access or higher can append additional SQL queries to extract sensitive data from the WordPress database. The handler returns the executed SQL string in its JSON response, which simplifies oracle construction for blind exploitation. The issue is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact
Authenticated attackers with minimal privileges can exfiltrate arbitrary database contents, including password hashes, session tokens, and personally identifiable information stored in WordPress.

Affected Products

WP Review Slider Pro plugin for WordPress
Versions up to and including 12.6.8
WordPress installations exposing the wppro_get_overall_chart_data AJAX endpoint to authenticated users

Discovery Timeline

2026-06-16 - CVE-2026-8443 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-8443

Vulnerability Analysis

The vulnerability stems from unsafe handling of JSON-encoded user input in the wppro_get_overall_chart_data AJAX handler. The handler calls stripslashes() on user-supplied JSON strings before invoking json_decode(). This removes the escaping that WordPress applies through wp_magic_quotes. The decoded array values from the stypes and slocations parameters are then concatenated directly into SQL WHERE clauses.

The constructed query executes through $wpdb->get_results() without $wpdb->prepare(), leaving the input completely unsanitized. Because the plugin returns the executed SQL string in its JSON response, attackers can directly observe how their input was rendered into the final query. This response-leak behavior simplifies blind exploitation and oracle construction, accelerating exfiltration.

Root Cause

The root cause is the combination of two coding errors. First, applying stripslashes() to JSON input strips the protective escaping added by WordPress global request handling. Second, decoded array elements are interpolated into the SQL query as raw strings rather than passed as bound parameters. Together these mistakes break the defense-in-depth chain that WordPress provides for AJAX endpoints.

Attack Vector

An attacker authenticates to WordPress with Subscriber-level privileges or higher and issues a POST request to admin-ajax.php invoking the wppro_get_overall_chart_data action. The attacker crafts the stypes or slocations JSON parameter to contain SQL syntax that escapes the original WHERE clause and appends a UNION SELECT or subquery. The JSON response then reveals the executed SQL, confirming injection and enabling blind extraction techniques such as time-based or boolean-based exfiltration of administrator credentials and session data.

No verified proof-of-concept code has been published. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2026-8443

Indicators of Compromise

POST requests to /wp-admin/admin-ajax.php with the action=wppro_get_overall_chart_data parameter originating from low-privilege accounts.
Request bodies containing SQL keywords such as UNION, SELECT, SLEEP(, BENCHMARK(, or comment sequences (--, #, /*) inside the stypes or slocations JSON values.
Unusual response sizes or latency spikes from the affected AJAX endpoint indicating time-based blind injection.
New or modified WordPress administrator accounts following Subscriber account activity.

Detection Strategies

Inspect web server access logs for repeated calls to wppro_get_overall_chart_data from a single authenticated session.
Deploy web application firewall rules that decode JSON payloads and flag SQL metacharacters within stypes and slocations values.
Correlate authentication telemetry showing low-privilege accounts issuing administrative AJAX calls with abnormal query volume.

Monitoring Recommendations

Forward WordPress and reverse-proxy logs to a centralized analytics platform and alert on bursts of admin-ajax.php traffic from non-admin users.
Track outbound database query latency and row counts to detect bulk extraction patterns.
Monitor for newly created Subscriber accounts that subsequently invoke plugin AJAX actions.

How to Mitigate CVE-2026-8443

Immediate Actions Required

Update the WP Review Slider Pro plugin to a version later than 12.6.8 as soon as the vendor releases a patched build.
Audit existing WordPress user accounts and remove or disable unused Subscriber-level and higher accounts.
Rotate WordPress administrator passwords and database credentials if exploitation is suspected.
Restrict user registration to trusted sources until the plugin is updated.

Patch Information

At the time of publication, refer to the WP Review Slider official site and the Wordfence Vulnerability Report for the fixed version. Apply the vendor-supplied update through the WordPress plugin manager and verify the installed version is greater than 12.6.8.

Workarounds

Deactivate and remove the WP Review Slider Pro plugin until a fixed version is installed.
Block requests to admin-ajax.php with action=wppro_get_overall_chart_data at the web application firewall for non-administrator sessions.
Disable open user registration in WordPress settings to reduce the population of accounts that meet the Subscriber-level prerequisite.

bash

# Example WAF rule (ModSecurity) to block suspicious AJAX payloads
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
  "chain,phase:2,deny,status:403,id:1026844301,msg:'Block WP Review Slider Pro SQLi attempts'"
  SecRule ARGS:action "@streq wppro_get_overall_chart_data" "chain"
  SecRule ARGS:stypes|ARGS:slocations "@rx (?i)(union[\s/*]+select|sleep\s*\(|benchmark\s*\(|--|/\*)"