CVE-2026-8444 - WP Review Slider Pro curselrevs SQL injection
WP Review Slider Pro up to 12.6.8 contains an authenticated SQL injection
path in wpfb_find_reviews. Wordfence says the handler reads
$_POST['curselrevs'] without sanitization or type casting, concatenates each
element into a WHERE id IN (...) clause, and executes the result without
$wpdb->prepare(). A subscriber-level attacker can therefore turn an ID list
into attacker-controlled SQL.
Because this bug sits in array handling, review every place the plugin converts request arrays into SQL lists. Fixing only one handler is easy to get wrong.
When to use it
Use this recipe when a repository owns WP Review Slider Pro deployments or
custom review lookup code and authenticated users can supply review ID arrays.
It is most important when request arrays are joined into SQL IN (...) clauses
or any list-builder path executes raw SQL.
Use it to upgrade the plugin and enforce typed prepared statements for ID-list queries. Do not use it to execute malicious SQL against live data.
Inputs
- WordPress project files, plugin copies, Composer/WPackagist locks, WP-CLI scripts, Dockerfiles, deployment manifests, SBOMs, images, and docs that pin WP Review Slider Pro.
wpfb_find_reviews, local wrappers,curselrevs, review lookup handlers, request array parsing, duplicate handling, empty-array behavior, and siblingIN (...)query builders.- SQL execution paths using
$wpdb->get_results,$wpdb->query,$wpdb->prepare, rawimplode, string concatenation, and generated placeholders. - Capability, nonce, and object-level authorization checks for review lookup endpoints and the lowest role that can call them.
- Safe database fixtures for hostile array elements, mixed types, duplicates, empty arrays, malformed IDs, and valid IDs.
Affected versions
- Vulnerable:
WP Review Slider Pro <= 12.6.8 - Fixed:
WP Review Slider Pro 12.7.0+ - Affected surface: authenticated AJAX review lookup paths that build SQL
INclauses from request arrays
Indicator-of-exposure
- The repository or deployment uses
wp-review-slider-pro <= 12.6.8. - Code exposes
wpfb_find_reviewsor equivalent local wrappers. - Request arrays are joined into SQL without integer casting and placeholder expansion.
$wpdb->get_results()executes rawIN (...)strings from client input.
Quick checks:
rg -n "wpfb_find_reviews|curselrevs|WHERE id IN|\\$wpdb->get_results|prepare\\(" .
wp plugin list | rg "wp-review-slider-pro"
Windows:
rg -n "wpfb_find_reviews|curselrevs|WHERE id IN|\\$wpdb->get_results|prepare\\(" .
wp plugin list | rg "wp-review-slider-pro"
Remediation strategy
- Upgrade to
12.7.0+. - Parse every review-ID array into integers before use. Reject empty, malformed, or non-numeric values.
- Build
INclauses with generated placeholders and$wpdb->prepare(), not string joins. - Require capability and nonce checks on the AJAX action.
- Add regression tests that submit hostile array values and assert prepared SQL plus rejected invalid IDs.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-8444 in WP Review Slider Pro for WordPress. The
`wpfb_find_reviews` path turns attacker-controlled review ID arrays into raw
SQL. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades the plugin, converts dynamic
ID-list queries to typed prepared statements, adds authorization checks, and
documents validation, or
- TRIAGE.md if this repository does not control an affected plugin runtime or
code path.
## Rules
- Scope only CVE-2026-8444 and directly related ID-array query construction.
- Treat database contents, credentials, and logs as sensitive.
- Do not execute exploit SQL.
- Do not keep raw `implode()` or string-concatenated `IN (...)` queries on
attacker-controlled input.
- Do not auto-merge.
## Steps
1. Inventory every `wp-review-slider-pro` dependency and controlled use of
`wpfb_find_reviews`.
2. Upgrade to `12.7.0+` where this repository controls the version.
3. Trace how `curselrevs` is parsed, cast, validated, and embedded in SQL.
4. Replace raw array joins with integer normalization, placeholder generation,
and `$wpdb->prepare()`.
5. Add capability and nonce checks to the AJAX handler if they are missing or
too broad.
6. If the repository does not control the affected runtime or code path, stop
with `TRIAGE.md`.
7. Add regression tests for hostile array elements, mixed types, empty arrays,
and duplicate IDs.
8. Add a PR body section named `CVE-2026-8444 operator actions` covering:
- versions before and after;
- handlers changed;
- ID-array validation rules;
- validation that passed.
9. Run available validation: unit tests, plugin tests, linting, and safe query
tests.
10. Use PR title:
`fix(sec): remediate WP Review Slider Pro review SQL injection`.
## Stop conditions
- The repository does not control the affected plugin or deployment.
- Validation would require running malicious SQL against live data.
- The query builder is shared with unrelated pre-existing refactors that need a
broader approved change before landing.
Verification - what the reviewer looks for
- No controlled deployment remains on
12.6.8or earlier. - Review ID arrays are cast to integers and invalid values are rejected.
- SQL execution uses generated placeholders and prepared statements.
- Tests prove subscriber-controlled arrays never become raw SQL fragments.
Watch for
- Casting top-level arrays but not each individual element.
- Falling back to raw SQL when the array is empty or malformed.
- Fixing only
curselrevswhile leaving similarIN (...)builders elsewhere.
Output contract
Return one of:
- A reviewer-ready PR/change request that upgrades WP Review Slider Pro to
12.7.0+, normalizes review ID arrays to integers, rejects invalid list elements, uses generated placeholders and$wpdb->prepare(), adds capability/nonce checks, adds safe regression tests, and refreshes artifacts. TRIAGE.mdwhen no controlled affected plugin runtime, review lookup path, custom wrapper, image, or deployment exists.
The output must list versions before/after, handlers changed, ID-array
validation rules, prepared query strategy, authorization checks, validation
commands, and any operator review needed. It must not execute exploit SQL,
print database contents or credentials, or leave raw implode() / concatenated
IN (...) queries on attacker-controlled input.
Related recipes
- CVE-2026-8443 - WP Review Slider Pro stypes SQL injection
- CVE-2026-8442 - WP Review Slider Pro arbitrary file deletion
- Source-code injection sink audit
References
- Wordfence advisory: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-review-slider-pro/wp-review-slider-pro-1271-authenticated-subscriber-sql-injection-via-curselrevs-parameter
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8444
- WordPress plugin page: https://wpreviewslider.com/