CVE-2026-8444 - WP Review Slider Pro curselrevs SQL injection

WP Review Slider Pro up to 12.6.8 contains an authenticated SQL injection path in wpfb_find_reviews. Wordfence says the handler reads $_POST['curselrevs'] without sanitization or type casting, concatenates each element into a WHERE id IN (...) clause, and executes the result without $wpdb->prepare(). A subscriber-level attacker can therefore turn an ID list into attacker-controlled SQL.

Because this bug sits in array handling, review every place the plugin converts request arrays into SQL lists. Fixing only one handler is easy to get wrong.

When to use it

Use this recipe when a repository owns WP Review Slider Pro deployments or custom review lookup code and authenticated users can supply review ID arrays. It is most important when request arrays are joined into SQL IN (...) clauses or any list-builder path executes raw SQL.

Use it to upgrade the plugin and enforce typed prepared statements for ID-list queries. Do not use it to execute malicious SQL against live data.

Inputs

  • WordPress project files, plugin copies, Composer/WPackagist locks, WP-CLI scripts, Dockerfiles, deployment manifests, SBOMs, images, and docs that pin WP Review Slider Pro.
  • wpfb_find_reviews, local wrappers, curselrevs, review lookup handlers, request array parsing, duplicate handling, empty-array behavior, and sibling IN (...) query builders.
  • SQL execution paths using $wpdb->get_results, $wpdb->query, $wpdb->prepare, raw implode, string concatenation, and generated placeholders.
  • Capability, nonce, and object-level authorization checks for review lookup endpoints and the lowest role that can call them.
  • Safe database fixtures for hostile array elements, mixed types, duplicates, empty arrays, malformed IDs, and valid IDs.

Affected versions

  • Vulnerable: WP Review Slider Pro <= 12.6.8
  • Fixed: WP Review Slider Pro 12.7.0+
  • Affected surface: authenticated AJAX review lookup paths that build SQL IN clauses from request arrays

Indicator-of-exposure

  • The repository or deployment uses wp-review-slider-pro <= 12.6.8.
  • Code exposes wpfb_find_reviews or equivalent local wrappers.
  • Request arrays are joined into SQL without integer casting and placeholder expansion.
  • $wpdb->get_results() executes raw IN (...) strings from client input.

Quick checks:

rg -n "wpfb_find_reviews|curselrevs|WHERE id IN|\\$wpdb->get_results|prepare\\(" .
wp plugin list | rg "wp-review-slider-pro"

Windows:

rg -n "wpfb_find_reviews|curselrevs|WHERE id IN|\\$wpdb->get_results|prepare\\(" .
wp plugin list | rg "wp-review-slider-pro"

Remediation strategy

  • Upgrade to 12.7.0+.
  • Parse every review-ID array into integers before use. Reject empty, malformed, or non-numeric values.
  • Build IN clauses with generated placeholders and $wpdb->prepare(), not string joins.
  • Require capability and nonce checks on the AJAX action.
  • Add regression tests that submit hostile array values and assert prepared SQL plus rejected invalid IDs.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-8444 in WP Review Slider Pro for WordPress. The
`wpfb_find_reviews` path turns attacker-controlled review ID arrays into raw
SQL. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades the plugin, converts dynamic
  ID-list queries to typed prepared statements, adds authorization checks, and
  documents validation, or
- TRIAGE.md if this repository does not control an affected plugin runtime or
  code path.

## Rules

- Scope only CVE-2026-8444 and directly related ID-array query construction.
- Treat database contents, credentials, and logs as sensitive.
- Do not execute exploit SQL.
- Do not keep raw `implode()` or string-concatenated `IN (...)` queries on
  attacker-controlled input.
- Do not auto-merge.

## Steps

1. Inventory every `wp-review-slider-pro` dependency and controlled use of
   `wpfb_find_reviews`.
2. Upgrade to `12.7.0+` where this repository controls the version.
3. Trace how `curselrevs` is parsed, cast, validated, and embedded in SQL.
4. Replace raw array joins with integer normalization, placeholder generation,
   and `$wpdb->prepare()`.
5. Add capability and nonce checks to the AJAX handler if they are missing or
   too broad.
6. If the repository does not control the affected runtime or code path, stop
   with `TRIAGE.md`.
7. Add regression tests for hostile array elements, mixed types, empty arrays,
   and duplicate IDs.
8. Add a PR body section named `CVE-2026-8444 operator actions` covering:
   - versions before and after;
   - handlers changed;
   - ID-array validation rules;
   - validation that passed.
9. Run available validation: unit tests, plugin tests, linting, and safe query
   tests.
10. Use PR title:
    `fix(sec): remediate WP Review Slider Pro review SQL injection`.

## Stop conditions

- The repository does not control the affected plugin or deployment.
- Validation would require running malicious SQL against live data.
- The query builder is shared with unrelated pre-existing refactors that need a
  broader approved change before landing.

Verification - what the reviewer looks for

  • No controlled deployment remains on 12.6.8 or earlier.
  • Review ID arrays are cast to integers and invalid values are rejected.
  • SQL execution uses generated placeholders and prepared statements.
  • Tests prove subscriber-controlled arrays never become raw SQL fragments.

Watch for

  • Casting top-level arrays but not each individual element.
  • Falling back to raw SQL when the array is empty or malformed.
  • Fixing only curselrevs while leaving similar IN (...) builders elsewhere.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades WP Review Slider Pro to 12.7.0+, normalizes review ID arrays to integers, rejects invalid list elements, uses generated placeholders and $wpdb->prepare(), adds capability/nonce checks, adds safe regression tests, and refreshes artifacts.
  • TRIAGE.md when no controlled affected plugin runtime, review lookup path, custom wrapper, image, or deployment exists.

The output must list versions before/after, handlers changed, ID-array validation rules, prepared query strategy, authorization checks, validation commands, and any operator review needed. It must not execute exploit SQL, print database contents or credentials, or leave raw implode() / concatenated IN (...) queries on attacker-controlled input.

References