CVE-2026-8443 HIGH

CVE-2026-8443: WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) SQL Injection via 'stypes' Parameter

Vendor Https://Wpreviewslider.com/
Product WP Review Slider Pro
Weakness CWE-89 · SQLi
Published June 16, 2026
Last update June 16, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strings prior to json_decode(), which removes the escaping applied by WordPress's wp_magic_quotes; the resulting decoded array values are then concatenated directly into SQL WHERE clauses without parameterization, and the constructed query is executed via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The handler also returns the executed SQL string in its JSON response, which simplifies oracle construction for blind exploitation.

Explanation of Vulnerability in Simple Terms

02Summary

WP Review Slider Pro versions up to 12.6.8 contain a SQL injection vulnerability in database query handling. An authenticated user with low privileges can inject malicious SQL commands through unfiltered input, potentially reading, modifying, or deleting site data. The vulnerability requires valid site access but no additional user interaction.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete database records including user credentials and site configuration.

Potential impact on your site

04Site Impact

Attackers with basic site access can compromise user data, alter content, or disable the site entirely.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the WordPress site (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

June 16, 2026 CVE published

Related vulnerabilities

08Related CVE

CVE-2024-3348 SourceCodester Aplaya Beach Resort Online Reservation System index.php sql injection CVE-2022-36394 WordPress Contest Gallery plugin <= 17.0.4 - Authenticated SQL Injection (SQLi) vulnerability CVE-2022-47151 WordPress JS Help Desk plugin <= 2.7.1 - Unauth. SQL Injection Vulnerability CVE-2025-4176 PHPGurukul Blood Bank & Donor Management System request-received-bydonar.php sql injection CVE-2023-32308 SQL Injection Vulnerability in anuko timetracker