CVE-2026-8443 - WP Review Slider Pro stypes SQL injection
WP Review Slider Pro up to 12.6.8 contains an authenticated SQL injection
path in the wppro_get_overall_chart_data AJAX action. Wordfence reports the
handler runs stripslashes() on user-supplied JSON before json_decode(),
then concatenates stypes and slocations array values directly into SQL
WHERE clauses and executes the result without $wpdb->prepare(). The same
advisory says the handler returns the executed SQL string in JSON responses,
which lowers the effort needed for blind exploitation by a subscriber-level
attacker.
The right fix is not “escape this one field.” Review the entire query-building shape around dynamic review filters and arrays.
When to use it
Use this recipe when a repository owns WP Review Slider Pro deployments or
custom review/reporting code and authenticated users can reach chart/report
AJAX endpoints. It is most important when request arrays or comma-separated
filters become SQL WHERE, IN, or ORDER BY fragments.
Use it to upgrade the plugin and convert dynamic review filters into typed prepared statements. Do not use it to run destructive SQL against real data.
Inputs
- WordPress project files, plugin copies, Composer/WPackagist locks, WP-CLI scripts, Dockerfiles, deployment manifests, SBOMs, images, and docs that pin WP Review Slider Pro.
wppro_get_overall_chart_data, local wrappers, review chart/report endpoints, request parsing,stripslashes,json_decode,stypes,slocations, and sibling dynamic filter arrays.- SQL construction paths using
$wpdb->get_results,$wpdb->query,$wpdb->prepare, rawWHERE/IN/ORDER BYfragments, and debug output that returns executed SQL. - Capability, nonce, and object-level authorization checks for chart/report endpoints and the lowest role that can call them.
- Safe database fixtures with hostile-looking values that validate parameterization without touching production data.
Affected versions
- Vulnerable:
WP Review Slider Pro <= 12.6.8 - Fixed:
WP Review Slider Pro 12.7.0+ - Affected surface: authenticated AJAX chart/report endpoints that build review queries from request parameters
Indicator-of-exposure
- The repository or deployment uses
wp-review-slider-pro <= 12.6.8. - Code exposes
wppro_get_overall_chart_data. - SQL clauses are built by concatenating request arrays or comma-separated
filters into
WHERE,IN, orORDER BYfragments. $wpdb->query()or$wpdb->get_results()is used without$wpdb->prepare()on attacker-reachable inputs.
Quick checks:
rg -n "wppro_get_overall_chart_data|stypes|slocations|\\$wpdb->get_results|\\$wpdb->query|prepare\\(" .
wp plugin list | rg "wp-review-slider-pro"
Windows:
rg -n "wppro_get_overall_chart_data|stypes|slocations|\\$wpdb->get_results|\\$wpdb->query|prepare\\(" .
wp plugin list | rg "wp-review-slider-pro"
Remediation strategy
- Upgrade to
12.7.0+. - Parameterize every dynamic query component. Where a list is required, parse
it into typed values and build placeholders programmatically before calling
$wpdb->prepare(). - Reject invalid filter values early rather than attempting to escape free-form SQL fragments.
- Apply capability and nonce checks to the affected AJAX action.
- Add regression tests with hostile-looking filter values that prove only typed values reach the database layer.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-8443 in WP Review Slider Pro for WordPress. The
plugin concatenates attacker-controlled review filters into SQL in the
`wppro_get_overall_chart_data` path. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades the plugin, replaces raw SQL
concatenation with typed prepared statements, adds authorization checks, and
documents validation, or
- TRIAGE.md if this repository does not control an affected plugin runtime or
query path.
## Rules
- Scope only CVE-2026-8443 and directly related chart-data query construction.
- Treat database contents, credentials, and logs as sensitive.
- Do not run destructive SQL payloads.
- Do not "fix" this by stripping a few characters while leaving raw SQL
construction in place.
- Do not auto-merge.
## Steps
1. Inventory every `wp-review-slider-pro` copy and every controlled use of
`wppro_get_overall_chart_data`.
2. Upgrade to `12.7.0+` where possible.
3. Trace how `stypes`, `slocations`, and other filter inputs are parsed and
embedded into SQL.
4. Convert every attacker-controlled query fragment to typed values with
placeholders and `$wpdb->prepare()`.
5. Add capability and nonce checks to the AJAX handler if they are missing or
too broad.
6. If the repository does not control the vulnerable runtime or query path,
stop with `TRIAGE.md`.
7. Add regression tests that submit hostile filter values and prove generated
SQL remains parameterized.
8. Add a PR body section named `CVE-2026-8443 operator actions` covering:
- versions before and after;
- query paths changed;
- parameter types enforced;
- validation that passed.
9. Run available validation: unit tests, plugin tests, linting, and safe
database query tests.
10. Use PR title:
`fix(sec): remediate WP Review Slider Pro chart SQL injection`.
## Stop conditions
- The repository does not control the affected plugin or deployment.
- Validation would require executing exploit SQL against real data.
- Dynamic SQL shape is shared with unrelated pre-existing bugs that require a
broader approved refactor outside this CVE scope.
Verification - what the reviewer looks for
- No controlled deployment remains on
12.6.8or earlier. - Request arrays are parsed into typed values before query construction.
- Query execution uses prepared statements rather than raw concatenation.
- Authorization and nonce checks exist on the attacker-reachable handler.
Watch for
- Preparing only part of the query while leaving
IN (...)fragments raw. - Sanitizing strings but not converting numeric IDs to integers.
- Fixing
stypeswhile leaving sibling filters likeslocationsvulnerable.
Output contract
Return one of:
- A reviewer-ready PR/change request that upgrades WP Review Slider Pro to
12.7.0+, parses request filters into typed values, uses generated placeholders and$wpdb->prepare()for dynamic SQL, adds capability/nonce checks, adds safe query regression tests, and refreshes artifacts. TRIAGE.mdwhen no controlled affected plugin runtime, chart-data query path, custom wrapper, image, or deployment exists.
The output must list versions before/after, query paths changed, filter types enforced, authorization checks, validation commands, and any operator review needed. It must not execute exploit SQL, print database contents or credentials, or rely on stripping characters while raw SQL construction remains.
Related recipes
- CVE-2026-8444 - WP Review Slider Pro curselrevs SQL injection
- CVE-2026-8442 - WP Review Slider Pro arbitrary file deletion
- Source-code injection sink audit
References
- Wordfence advisory: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-review-slider-pro/wp-review-slider-pro-1271-authenticated-subscriber-sql-injection-via-stypes-parameter
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8443
- WordPress plugin page: https://wpreviewslider.com/