The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action. This vulnerability allows authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into existing queries, potentially leading to sensitive information extraction from the database.
HIGHhttps://wpreviewslider.com/CVE published 2026-06-16
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strings prior to json_decode(), which removes the escaping applied by WordPress's wp_magic_quotes; the resulting decoded array values [truncated]
