CVE-2026-8444

HIGH 8.8

WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) SQL Injection via 'curselrevs' Parameter

CVSS Score

8.8

EPSS Score

0.3%

EPSS Percentile

16th

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( ... )` clause without quoting and executing via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CWE	CWE-89
Vendor	https://wpreviewslider.com/
Product	wp review slider pro
Published	Jun 16, 2026
Last Updated	Jun 16, 2026

Stay Ahead of the Next One

Get instant alerts for https://wpreviewslider.com/ wp review slider pro

Be the first to know when new high vulnerabilities affecting https://wpreviewslider.com/ wp review slider pro are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

https://wpreviewslider.com/ / WP Review Slider Pro

0 ≤ 12.6.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/633d26e9-8a05-4f4b-93a8-5644f2f699db?source=cve wpreviewslider.com: https://wpreviewslider.com/

Credits

Phú