CVE-2026-8442 - WP Review Slider Pro arbitrary file deletion

WP Review Slider Pro up to 12.6.8 allows authenticated arbitrary file deletion. Wordfence says the wpfb_hide_review and wprp_save_review_admin AJAX handlers miss authorization checks, and wpfb_hidereview_ajax() uses a simple prefix test before passing a relative path to unlink(). That leaves a path-traversal deletion primitive that can remove files outside the intended media directory and may create follow-on remote code execution conditions.

When to use it

Use this recipe when a repository owns a WordPress deployment, plugin bundle, Composer/WPackagist path, image, or runbook that includes WP Review Slider Pro. It is most important when authenticated low-privilege users can reach review-management AJAX actions and the web process can delete uploads, cache files, plugin files, PHP files, or configuration files.

Use it to upgrade the plugin and harden destructive filesystem paths. Do not use it to delete real files during validation.

Inputs

  • WordPress project files, plugin artifact bundles, Composer/WPackagist locks, WP-CLI scripts, Dockerfiles, deployment manifests, SBOMs, image metadata, and operator docs that reference wp-review-slider-pro.
  • Handler paths for wpfb_hide_review, wprp_save_review_admin, wpfb_hidereview_ajax, custom wrappers, capability checks, nonce checks, object-level authorization, and any unlink() calls.
  • Filesystem policy for review media roots, upload directories, symlinks, cache directories, plugin directories, PHP/config files, and backup/restore procedures.
  • Evidence of requester roles that can call review-management actions: subscriber, contributor, editor, admin, customer, integration, or automation.
  • Safe disposable filesystem fixtures for traversal, root mismatch, symlink, missing-file, and low-privilege delete tests.

Affected versions

  • Vulnerable: WP Review Slider Pro <= 12.6.8
  • Fixed: WP Review Slider Pro 12.7.0+
  • Affected surface: sites where authenticated users can hit the plugin’s review-management AJAX routes

Indicator-of-exposure

  • The repository or deployment uses wp-review-slider-pro <= 12.6.8.
  • Code exposes wpfb_hide_review, wprp_save_review_admin, or local wrappers.
  • Deletion logic relies on URL-prefix checks, string replacement, or relative path concatenation instead of canonical path validation.
  • The web process can delete PHP, config, cache, or upload files that influence later execution.

Quick checks:

rg -n "wp-review-slider-pro|wpfb_hide_review|wprp_save_review_admin|wpfb_hidereview_ajax|unlink\\(|strpos\\(" .
wp plugin list | rg "wp-review-slider-pro"

Windows:

rg -n "wp-review-slider-pro|wpfb_hide_review|wprp_save_review_admin|wpfb_hidereview_ajax|unlink\\(|strpos\\(" .
wp plugin list | rg "wp-review-slider-pro"

Remediation strategy

  • Upgrade to 12.7.0+.
  • Add capability and nonce checks to every review-management AJAX action. Do not let subscriber-level users call destructive handlers unless that is an intentional product requirement with additional object-level authorization.
  • Replace prefix-based path validation with canonical enforcement: normalize the candidate path, resolve it with realpath, ensure it stays under an expected root, and reject symlinks or missing files that defeat validation.
  • Never pass user-influenced relative paths straight to unlink().
  • Audit for deleted files that could enable code execution or persistence, and restore from known-good backups where needed.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-8442 in WP Review Slider Pro for WordPress. The
bug combines missing authorization on AJAX handlers with weak path validation,
allowing authenticated arbitrary file deletion. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades the plugin, hardens delete
  handlers, replaces string prefix checks with canonical path enforcement, and
  documents operator review of deleted-file risk, or
- TRIAGE.md if this repository does not control an affected plugin deployment
  or code path.

## Rules

- Scope only CVE-2026-8442 and directly related delete-handler logic.
- Treat plugin settings, uploads, backups, and configuration files as
  sensitive.
- Do not delete arbitrary files during validation.
- Do not keep destructive handlers reachable to low-privilege users.
- Do not auto-merge.

## Steps

1. Inventory every `wp-review-slider-pro` dependency, plugin copy, and custom
   wrapper in the repository and deployment manifests.
2. Upgrade to `12.7.0+` where this repository controls the plugin version.
3. Trace `wpfb_hide_review`, `wprp_save_review_admin`, and any equivalent local
   handler to identify capability, nonce, and object-level authorization gaps.
4. Replace string prefix or substring checks with canonical path validation
   rooted to the intended media directory.
5. Ensure delete operations reject traversal segments, symlink escapes, and
   paths outside the approved root before any filesystem call.
6. If the repository does not control the vulnerable runtime or code path, stop
   with `TRIAGE.md`.
7. Add regression tests that prove traversal payloads, mismatched roots, and
   low-privilege delete attempts are rejected before `unlink()`.
8. Review whether arbitrary deletion could have removed PHP files, config
   files, or security controls. Document restore or escalation actions.
9. Add a PR body section named `CVE-2026-8442 operator actions` covering:
   - versions before and after;
   - handlers changed;
   - root directories enforced;
   - deleted-file review results;
   - validation that passed.
10. Run available validation: unit tests, plugin tests, linting, and safe
    filesystem-path tests.
11. Use PR title:
    `fix(sec): remediate WP Review Slider Pro file deletion`.

## Stop conditions

- The repository does not control the affected plugin or deployment.
- Validation would require deleting real files outside disposable test fixtures.
- Evidence suggests arbitrary deletion already impacted production and incident
  response should take priority.

Verification - what the reviewer looks for

  • No controlled deployment remains on 12.6.8 or earlier.
  • Destructive AJAX handlers require appropriate capability and nonce checks.
  • Paths are canonicalized and rooted before deletion.
  • Tests prove traversal attempts never reach unlink().

Watch for

  • Upgrading the plugin while leaving custom helper code on the old validation pattern.
  • Using realpath only after opening or deleting the target.
  • Checking only the requester’s role and not whether the specific review/media object is in scope for that user.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades WP Review Slider Pro to 12.7.0+, adds capability/nonce/object checks to destructive handlers, replaces prefix checks with canonical path containment, adds safe filesystem regression tests, refreshes artifacts, and documents deleted-file review.
  • TRIAGE.md when no controlled affected plugin deployment, code path, image, artifact, or runbook exists.

The output must list versions before/after, handlers changed, requester roles, root directories enforced, validation commands, artifacts refreshed, and operator review for deleted-file or follow-on code-execution risk. It must not delete real files, expose uploads/backups/config files, or leave destructive handlers reachable to low-privilege users.

References