Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4024 articles · 176782 vulns · 36/41 feeds (7d)
← Back to list
7.5
CVE-2026-8441EXPLOITED
wordpress · wp review slider pro

WP Review Slider Pro <= 12.7.2 - Unauthenticated SQL Injection via 'notinstring' Parameter

Description

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp_load_more_revs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $_POST['notinstring'] and passed through sanitize_text_field() — which strips HTML and whitespace but does not provide SQL safety. The value is then concatenated directly into a numeric/unquoted `AND id NOT IN (...)` clause and executed via $wpdb->get_results() without $wpdb->prepare() or intval() casting. Because the value sits in an unquoted numeric context, WordPress's wp_magic_quotes protection (which only escapes embedded quotes) is ineffective. The AJAX hook is registered via wp_ajax_nopriv_wprp_load_more_revs, and the required check_ajax_referer nonce is publicly available via wp_localize_script on any frontend page that renders the plugin shortcode, so an unauthenticated attacker who can reach a public page hosting the plugin can extract arbitrary data from the database via blind/time-based injection.

Affected Products

VendorProductVersions
wordpresswp review slider pro0

References

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/396ba24f-e0f7-4374-a9ce-d9abddb87b39?source=cve
  • https://wpreviewslider.userecho.com/knowledge-bases/2/articles/88-change-log

Related News (1 articles)

Tier C
VulDB15d ago
CVE-2026-8441 | WP Review Slider Pro Plugin up to 12.7.2 on WordPress Shortcode sanitize_text_field notinstring sql injection (EUVD-2026-41274)
→ No new info (linked only)
CVSS 3.17.5 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA KEV❌ No
Actively exploited✅ Yes
CWECWE-89
PublishedJul 2, 2026
Last enriched15d agov2
Trending Score6
Source articles1
Independent1
Info Completeness8/14
Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-63030EXPKEV
WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution
Trending: 123
CRITICALCVE-2026-60137
WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query
Trending: 44
HIGHCVE-2026-9700EXP
Eventer <= 4.4.2 - Unauthenticated SQL Injection via 'code' Parameter
Trending: 13
MEDIUMCVE-2026-12097EXP
User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modification
Trending: 12
CRITICALCVE-2026-6382EXP
Multiple elFinder Plugins - Authenticated OS Command Injection
Trending: 9

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 2, 2026
Discovered by ZDM
Jul 2, 2026
Updated: severity, activelyExploited
Jul 2, 2026
Actively Exploited
Jul 2, 2026

Version History

v2
Last enriched 15d ago
v2Tier C15d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited
via VulDB
v115d ago

Initial creation