PatchSiren cyber security CVE debrief
CVE-2026-8444 https://wpreviewslider.com/ CVE debrief
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action. This vulnerability allows authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into existing queries, potentially leading to sensitive information extraction from the database.
- Vendor
- https://wpreviewslider.com/
- Product
- WP Review Slider Pro
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of the WP Review Slider Pro plugin for WordPress, particularly those with versions up to and including 12.6.8, should be aware of this SQL Injection vulnerability.
Technical summary
The vulnerability arises from the plugin's handler reading $_POST['curselrevs'] without sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( ... )` clause without quoting and executing via $wpdb->get_results() without $wpdb->prepare().
Defensive priority
HIGH
Recommended defensive actions
- Update WP Review Slider Pro to a version beyond 12.6.8.
- Restrict access to the wpfb_find_reviews AJAX action.
- Monitor database queries for anomalies.
Evidence notes
The CVE-2026-8444 vulnerability has a CVSS score of 8.8 and is considered HIGH severity.
Official resources
CVE-2026-8444 was published on 2026-06-16T08:16:24.100Z and has not been modified since.