CVE-2026-8444: WP Review Slider Pro SQLi Vulnerability

CVE-2026-8444 Overview

CVE-2026-8444 is a SQL Injection vulnerability [CWE-89] in the WP Review Slider Pro plugin for WordPress, affecting all versions up to and including 12.6.8. The flaw exists in the wpfb_find_reviews AJAX action handler, which reads the curselrevs[] POST parameter without sanitization or type casting. The handler concatenates each array element directly into a WHERE id IN ( ... ) clause and executes the query through $wpdb->get_results() without using $wpdb->prepare(). Authenticated attackers with Subscriber-level access or above can append additional SQL queries to extract sensitive data from the WordPress database.

Critical Impact
Authenticated attackers with low-privileged Subscriber accounts can exfiltrate password hashes, session tokens, and other sensitive database contents through SQL injection.

Affected Products

WP Review Slider Pro plugin for WordPress, versions up to and including 12.6.8
WordPress installations exposing the wpfb_find_reviews AJAX endpoint to authenticated users
Any site allowing Subscriber-level registration where the plugin is active

Discovery Timeline

2026-06-16 - CVE-2026-8444 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-8444

Vulnerability Analysis

The vulnerability resides in the wpfb_find_reviews AJAX action registered by the WP Review Slider Pro plugin. The handler retrieves $_POST['curselrevs'] as a raw array and iterates over its elements to build the IN clause of a SQL query. Because no element is cast to integer, escaped, or passed through $wpdb->prepare(), attacker-controlled values are interpolated directly into the SQL string. The resulting query is executed via $wpdb->get_results(), returning data from the database back to the request context.

Exploitation requires only Subscriber-level authentication, a role available through WordPress default open registration on many sites. The attacker submits a crafted curselrevs[] array where one or more elements contain SQL syntax such as UNION SELECT statements. The injected payload runs in the context of the WordPress database user, which typically has full read and write access to the wp_users, wp_usermeta, and wp_options tables.

Root Cause

The root cause is missing input validation and the absence of parameterized queries. The plugin trusts an array supplied through $_POST without enforcing integer types on the values that populate the IN ( ... ) list. WordPress documentation explicitly requires $wpdb->prepare() or explicit casting for any user-controlled value placed into SQL.

Attack Vector

An authenticated attacker sends a POST request to admin-ajax.php with action=wpfb_find_reviews and a curselrevs[] array containing malicious SQL payloads. Because the input is concatenated unquoted, payloads do not need to escape string delimiters. A UNION-based injection appended to one of the array elements returns arbitrary columns from any table the WordPress database user can read, including authentication material from wp_users.

No synthetic exploit code is published in this advisory. Refer to the Wordfence Vulnerability Report for technical details.

Detection Methods for CVE-2026-8444

Indicators of Compromise

POST requests to /wp-admin/admin-ajax.php containing action=wpfb_find_reviews with curselrevs[] parameters that include SQL keywords such as UNION, SELECT, SLEEP, or INFORMATION_SCHEMA
Unexpected database query errors in debug.log referencing the wpfb_find_reviews handler or malformed IN ( ... ) clauses
New or unfamiliar Subscriber accounts created shortly before suspicious AJAX traffic
Outbound data spikes following authenticated AJAX requests to the plugin endpoint

Detection Strategies

Inspect web server access logs for wpfb_find_reviews calls with non-numeric values inside curselrevs[] array indices
Enable WordPress query logging or use a Web Application Firewall in alert mode to capture SQL syntax in POST bodies
Correlate Subscriber-level authentication events with subsequent calls to the vulnerable AJAX action

Monitoring Recommendations

Forward WordPress and reverse proxy logs into a centralized analytics platform to detect anomalous AJAX patterns at scale
Monitor for sudden read volume on wp_users and wp_usermeta tables through database audit logging
Alert on AJAX responses larger than baseline for the wpfb_find_reviews endpoint, which often indicate successful UNION-based data extraction

How to Mitigate CVE-2026-8444

Immediate Actions Required

Update WP Review Slider Pro to a version higher than 12.6.8 once the vendor publishes a fix
Disable the plugin if a patched version is not yet available on sites that accept untrusted user registration
Restrict WordPress user registration or set the default role below Subscriber where business requirements permit
Rotate WordPress administrator passwords and secret keys if exploitation is suspected

Patch Information

No vendor patch URL is published in the NVD record at the time of writing. Monitor the WPreviewSlider Homepage and the Wordfence Vulnerability Report for the fixed release. Apply the update across all WordPress sites running the plugin and verify the version in wp-content/plugins/wp-review-slider-pro/.

Workarounds

Deploy a Web Application Firewall rule that blocks requests to admin-ajax.php where action=wpfb_find_reviews and curselrevs[] contains non-numeric characters
Remove or rename the plugin directory to disable the vulnerable AJAX handler until patching is possible
Close open registration via the WordPress General Settings page to remove the Subscriber-level prerequisite

bash

# Example ModSecurity rule blocking non-numeric curselrevs values
SecRule ARGS_POST_NAMES "@rx ^curselrevs\[\]$" \
    "chain,phase:2,deny,status:403,id:1026844,\
    msg:'CVE-2026-8444 WP Review Slider Pro SQLi attempt'"
SecRule ARGS_POST "!@rx ^[0-9]+$" "t:none"