CVE-2026-8442: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in https://wpreviewslider.com/ WP Review Slider Pro
WP Review Slider Pro plugin for WordPress has a path traversal vulnerability allowing authenticated users with subscriber-level access or higher to delete arbitrary files on the server. This is due to missing authorization checks and insufficient path validation in specific AJAX handlers. The vulnerability affects versions up to and including 12.6.8. Exploitation could lead to denial of service or remote code execution. No official patch or remediation guidance is currently confirmed.
AI Analysis
Technical Summary
CVE-2026-8442 is a path traversal vulnerability in the WP Review Slider Pro WordPress plugin. The issue arises from missing authorization checks on the wpfb_hide_review and wprp_save_review_admin AJAX handlers combined with inadequate validation in the wpfb_hidereview_ajax() function. This function uses strpos() to verify that a stored media URL starts with an expected prefix but fails to sanitize path traversal sequences in the relative path before passing it to unlink(). As a result, authenticated attackers with subscriber-level privileges can delete arbitrary files on the server, potentially enabling remote code execution.
Potential Impact
An attacker with subscriber-level access or higher can delete arbitrary files on the affected server. This can lead to denial of service or facilitate remote code execution if critical files are removed or manipulated. The vulnerability does not impact confidentiality but has high integrity and availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict subscriber-level user permissions where possible and monitor for suspicious activity related to file deletions via the affected AJAX handlers.
CVE-2026-8442: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in https://wpreviewslider.com/ WP Review Slider Pro
Description
WP Review Slider Pro plugin for WordPress has a path traversal vulnerability allowing authenticated users with subscriber-level access or higher to delete arbitrary files on the server. This is due to missing authorization checks and insufficient path validation in specific AJAX handlers. The vulnerability affects versions up to and including 12.6.8. Exploitation could lead to denial of service or remote code execution. No official patch or remediation guidance is currently confirmed.
CVSS v3.1
Score 8.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-8442 is a path traversal vulnerability in the WP Review Slider Pro WordPress plugin. The issue arises from missing authorization checks on the wpfb_hide_review and wprp_save_review_admin AJAX handlers combined with inadequate validation in the wpfb_hidereview_ajax() function. This function uses strpos() to verify that a stored media URL starts with an expected prefix but fails to sanitize path traversal sequences in the relative path before passing it to unlink(). As a result, authenticated attackers with subscriber-level privileges can delete arbitrary files on the server, potentially enabling remote code execution.
Potential Impact
An attacker with subscriber-level access or higher can delete arbitrary files on the affected server. This can lead to denial of service or facilitate remote code execution if critical files are removed or manipulated. The vulnerability does not impact confidentiality but has high integrity and availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict subscriber-level user permissions where possible and monitor for suspicious activity related to file deletions via the affected AJAX handlers.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-12T19:51:36.538Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3196670b89be688808a504
Added to database: 6/16/2026, 6:31:03 PM
Last enriched: 6/16/2026, 6:45:07 PM
Last updated: 6/16/2026, 8:00:01 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.