What Is CVE-2026-8443?
CVE-2026-8443 is a critical SQL injection vulnerability discovered in the WP Review Slider Pro WordPress plugin. The flaw resides in the wppro_get_o function, where user-supplied input via the stypes and slocations parameters is not properly sanitized before being used in SQL queries. This allows authenticated attackers — including those with subscriber-level privileges or higher — to inject arbitrary SQL commands into the backend database.
Versions Affected
All versions of WP Review Slider Pro up to and including 14.4 are vulnerable to this issue.
Is CVE-2026-8443 Being Exploited?
As of this writing, there are no confirmed reports of active exploitation in the wild. However, given the high CVSS score of 8.8 and the relatively low privilege requirements, Proof-of-Concept code is circulating publicly and weaponization is expected.
How to Fix CVE-2026-8443
The vendor has released a patched version 14.5 that properly parameterizes all SQL queries in the affected function. Users should update immediately via the WordPress dashboard or by downloading the latest version from the vendor.
Recommendations
- Update WP Review Slider Pro to version 14.5 or later immediately.
- If an immediate update is not possible, consider temporarily disabling the plugin until patching can be completed.
- Review database logs for suspicious query patterns targeting the
wppro_get_ofunction. - Implement a Web Application Firewall (WAF) rule to block requests containing SQL injection patterns in the
stypesandslocationsparameters.
