CVE-2026-8443 - WP Review Slider Pro stypes SQL injection

WP Review Slider Pro up to 12.6.8 contains an authenticated SQL injection path in the wppro_get_overall_chart_data AJAX action. Wordfence reports the handler runs stripslashes() on user-supplied JSON before json_decode(), then concatenates stypes and slocations array values directly into SQL WHERE clauses and executes the result without $wpdb->prepare(). The same advisory says the handler returns the executed SQL string in JSON responses, which lowers the effort needed for blind exploitation by a subscriber-level attacker.

The right fix is not “escape this one field.” Review the entire query-building shape around dynamic review filters and arrays.

When to use it

Use this recipe when a repository owns WP Review Slider Pro deployments or custom review/reporting code and authenticated users can reach chart/report AJAX endpoints. It is most important when request arrays or comma-separated filters become SQL WHERE, IN, or ORDER BY fragments.

Use it to upgrade the plugin and convert dynamic review filters into typed prepared statements. Do not use it to run destructive SQL against real data.

Inputs

  • WordPress project files, plugin copies, Composer/WPackagist locks, WP-CLI scripts, Dockerfiles, deployment manifests, SBOMs, images, and docs that pin WP Review Slider Pro.
  • wppro_get_overall_chart_data, local wrappers, review chart/report endpoints, request parsing, stripslashes, json_decode, stypes, slocations, and sibling dynamic filter arrays.
  • SQL construction paths using $wpdb->get_results, $wpdb->query, $wpdb->prepare, raw WHERE/IN/ORDER BY fragments, and debug output that returns executed SQL.
  • Capability, nonce, and object-level authorization checks for chart/report endpoints and the lowest role that can call them.
  • Safe database fixtures with hostile-looking values that validate parameterization without touching production data.

Affected versions

  • Vulnerable: WP Review Slider Pro <= 12.6.8
  • Fixed: WP Review Slider Pro 12.7.0+
  • Affected surface: authenticated AJAX chart/report endpoints that build review queries from request parameters

Indicator-of-exposure

  • The repository or deployment uses wp-review-slider-pro <= 12.6.8.
  • Code exposes wppro_get_overall_chart_data.
  • SQL clauses are built by concatenating request arrays or comma-separated filters into WHERE, IN, or ORDER BY fragments.
  • $wpdb->query() or $wpdb->get_results() is used without $wpdb->prepare() on attacker-reachable inputs.

Quick checks:

rg -n "wppro_get_overall_chart_data|stypes|slocations|\\$wpdb->get_results|\\$wpdb->query|prepare\\(" .
wp plugin list | rg "wp-review-slider-pro"

Windows:

rg -n "wppro_get_overall_chart_data|stypes|slocations|\\$wpdb->get_results|\\$wpdb->query|prepare\\(" .
wp plugin list | rg "wp-review-slider-pro"

Remediation strategy

  • Upgrade to 12.7.0+.
  • Parameterize every dynamic query component. Where a list is required, parse it into typed values and build placeholders programmatically before calling $wpdb->prepare().
  • Reject invalid filter values early rather than attempting to escape free-form SQL fragments.
  • Apply capability and nonce checks to the affected AJAX action.
  • Add regression tests with hostile-looking filter values that prove only typed values reach the database layer.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-8443 in WP Review Slider Pro for WordPress. The
plugin concatenates attacker-controlled review filters into SQL in the
`wppro_get_overall_chart_data` path. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades the plugin, replaces raw SQL
  concatenation with typed prepared statements, adds authorization checks, and
  documents validation, or
- TRIAGE.md if this repository does not control an affected plugin runtime or
  query path.

## Rules

- Scope only CVE-2026-8443 and directly related chart-data query construction.
- Treat database contents, credentials, and logs as sensitive.
- Do not run destructive SQL payloads.
- Do not "fix" this by stripping a few characters while leaving raw SQL
  construction in place.
- Do not auto-merge.

## Steps

1. Inventory every `wp-review-slider-pro` copy and every controlled use of
   `wppro_get_overall_chart_data`.
2. Upgrade to `12.7.0+` where possible.
3. Trace how `stypes`, `slocations`, and other filter inputs are parsed and
   embedded into SQL.
4. Convert every attacker-controlled query fragment to typed values with
   placeholders and `$wpdb->prepare()`.
5. Add capability and nonce checks to the AJAX handler if they are missing or
   too broad.
6. If the repository does not control the vulnerable runtime or query path,
   stop with `TRIAGE.md`.
7. Add regression tests that submit hostile filter values and prove generated
   SQL remains parameterized.
8. Add a PR body section named `CVE-2026-8443 operator actions` covering:
   - versions before and after;
   - query paths changed;
   - parameter types enforced;
   - validation that passed.
9. Run available validation: unit tests, plugin tests, linting, and safe
   database query tests.
10. Use PR title:
    `fix(sec): remediate WP Review Slider Pro chart SQL injection`.

## Stop conditions

- The repository does not control the affected plugin or deployment.
- Validation would require executing exploit SQL against real data.
- Dynamic SQL shape is shared with unrelated pre-existing bugs that require a
  broader approved refactor outside this CVE scope.

Verification - what the reviewer looks for

  • No controlled deployment remains on 12.6.8 or earlier.
  • Request arrays are parsed into typed values before query construction.
  • Query execution uses prepared statements rather than raw concatenation.
  • Authorization and nonce checks exist on the attacker-reachable handler.

Watch for

  • Preparing only part of the query while leaving IN (...) fragments raw.
  • Sanitizing strings but not converting numeric IDs to integers.
  • Fixing stypes while leaving sibling filters like slocations vulnerable.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades WP Review Slider Pro to 12.7.0+, parses request filters into typed values, uses generated placeholders and $wpdb->prepare() for dynamic SQL, adds capability/nonce checks, adds safe query regression tests, and refreshes artifacts.
  • TRIAGE.md when no controlled affected plugin runtime, chart-data query path, custom wrapper, image, or deployment exists.

The output must list versions before/after, query paths changed, filter types enforced, authorization checks, validation commands, and any operator review needed. It must not execute exploit SQL, print database contents or credentials, or rely on stripping characters while raw SQL construction remains.

References