{"repro_id":"REPRO-2026-00239","version":6,"title":"WP Review Slider Pro SQL injection","repro_type":"security","status":"published","severity":"high","description":"The WP Review Slider Pro plugin for WordPress is vulnerable to SQL injection via the 'noti' parameter. Reproduce: install the WP Review Slider Pro plugin, send a request with a SQL injection payload in the affected parameter, and observe database error or extract data.","root_cause":"## Summary\n\nCVE-2026-8441 is an unauthenticated SQL injection vulnerability in the WP Review Slider Pro WordPress plugin. The vulnerable public AJAX action is `wprp_load_more_revs`, reached through `/wp-admin/admin-ajax.php` from a public page rendering the plugin shortcode. The genuine WP Review Slider Pro 12.6.7 code reads the request field `notinstring` in `WP_Review_Pro_Public::wppro_loadmore_revs_ajax()`, passes it through `sanitize_text_field()`, and later concatenates it into an unquoted numeric `AND id NOT IN (...)` SQL fragment in `GetReviews_Functions::wppro_queryreviews()`. The reproduction proves the issue against a live WordPress/MariaDB service using the genuine plugin source zip, with time-based and conditional extraction payloads, and then proves a line-accurate fixed patch makes the same endpoint fast.\n\n## Impact\n\n- **Package/component affected:** WP Review Slider Pro (Premium), WordPress plugin slug/codebase `wp-review-slider-pro`; public AJAX action `wprp_load_more_revs`; vulnerable helper `public/partials/getreviews_class.php`.\n- **Affected versions:** Public advisory states versions up to and including 12.7.2. The runtime proof uses a genuine WP Review Slider Pro (Premium) 12.6.7 source zip (`sha256: 7f6092f4ea58b5c5c0dba72ba014b9395bf9608f9aeeb95206e80dc14f0b17e5`), which contains the vulnerable line-accurate code path.\n- **Risk level and consequences:** High. An unauthenticated attacker who can access a public page rendering a WP Review Slider Pro template can send a POST to WordPress `admin-ajax.php` and inject SQL into the plugin's review query. The reproduced consequence is blind SQL injection sufficient to infer database contents via conditional delays, demonstrated by extracting the first character of the WordPress admin username.\n\n## Impact Parity\n\n- **Disclosed/claimed maximum impact:** SQL injection with ability to extract database data remotely and unauthenticated.\n- **Reproduced impact from this run:** Full remote API reachability and blind SQL injection. The script demonstrates normal fast response (~0.106s), repeated `SLEEP(5)` delays (~5.03s and ~5.02s), `SLEEP(3)` delay (~3.02s), and a conditional extraction oracle where `admin` username first-character test for `a` delays (~3.02s) while the false `x` test is fast (~0.016s).\n- **Parity:** `full` for the SQL injection/data-extraction claim.\n- **Not demonstrated:** Bulk dumping of the entire database was not performed; the proof stops after a minimal conditional data-extraction primitive to avoid unnecessary exposure. Code execution was not claimed or demonstrated.\n\n## Root Cause\n\nThe root cause is insufficient SQL neutralization of an attacker-controlled request parameter in a public AJAX handler:\n\n1. `WP_Review_Pro_Public::wppro_loadmore_revs_ajax()` is registered for both authenticated and unauthenticated users via `wp_ajax_wprp_load_more_revs` and `wp_ajax_nopriv_wprp_load_more_revs`.\n2. The handler performs a nonce check, but the nonce is exposed to public visitors by `wp_localize_script()` on frontend pages rendering `[wprevpro_usetemplate]`.\n3. The handler reads `$_POST['notinstring']` and applies `sanitize_text_field()`. This WordPress text sanitizer is not an SQL escaping or parameterization mechanism; it does not remove SQL operators such as `) OR (SELECT SLEEP(...))#`.\n4. In `public/partials/getreviews_class.php`, the plugin calls `explode(',', $notinstring)` and immediately rejoins the array with `implode(',', $tempnotinarray)`, then builds `AND id NOT IN ($notinstring)` by string concatenation.\n5. The resulting query is executed by `$wpdb->get_results()` without a prepared statement or integer casting for the `NOT IN` list.\n\nThe line-accurate patch used in the fixed control changes the vulnerable line to cast the CSV list through `absint` before it is rejoined:\n\n```php\n$tempnotinarray = array_filter(array_map('absint', explode(\",\", $notinstring)));\n```\n\nThis preserves numeric review IDs while removing SQL syntax from the `NOT IN` list. The public advisory names fixed version 12.7.3; no public source commit was available because the plugin is distributed commercially.\n\n## Reproduction Steps\n\n1. Run `bundle/repro/reproduction_steps.sh`.\n2. The script:\n   - verifies the bundled genuine WP Review Slider Pro 12.6.7 zip and records source identity;\n   - installs/uses PHP, MariaDB, WordPress, and WP-CLI;\n   - activates the genuine plugin in a live WordPress instance;\n   - seeds real plugin tables with review/template data and publishes a page containing `[wprevpro_usetemplate tid=\"1\"]`;\n   - retrieves the public nonce from that page;\n   - sends real HTTP POST requests to `/wp-admin/admin-ajax.php` with `action=wprp_load_more_revs`, the nonce, and attacker-controlled `notinstring` payloads (the request also includes `noti` for ticket terminology, but the genuine plugin consumes `notinstring`);\n   - captures vulnerable timing and response artifacts;\n   - patches the genuine product file in place with a line-accurate integer-casting fix;\n   - restarts the PHP service and proves the same payload is fast after patching.\n3. Expected evidence of reproduction:\n   - vulnerable `SLEEP(5)` requests take approximately five seconds twice;\n   - vulnerable conditional true extraction takes approximately three seconds while the false condition is fast;\n   - fixed `SLEEP(5)` attempts are fast after the patch;\n   - response JSON contains `dbcall` fields showing injected SQL before the patch and sanitized `AND id NOT IN (1)` after the patch.\n\n## Evidence\n\n- **Primary runtime log:** `bundle/logs/reproduction_steps.log`\n- **Evidence summary:** `bundle/logs/evidence.log`\n- **Runtime manifest:** `bundle/repro/runtime_manifest.json`\n- **Timing summary:** `bundle/artifacts/timing_summary.json`\n- **Vulnerable HTTP responses:**\n  - `bundle/artifacts/vuln_sleep5_attempt1_response.json`\n  - `bundle/artifacts/vuln_sleep5_attempt2_response.json`\n  - `bundle/artifacts/vuln_data_true_response.json`\n  - `bundle/artifacts/vuln_data_false_response.json`\n- **Fixed HTTP responses:**\n  - `bundle/artifacts/fixed_sleep5_warmup_response.json`\n  - `bundle/artifacts/fixed_sleep5_attempt1_response.json`\n  - `bundle/artifacts/fixed_sleep5_attempt2_response.json`\n- **Source identity and patch evidence:**\n  - `bundle/logs/plugin_source_identity.log`\n  - `bundle/logs/real_notinstring_patch.diff`\n  - `bundle/artifacts/real_vulnerable_getreviews_excerpt.txt`\n  - `bundle/artifacts/real_ajax_handler_excerpt.txt`\n\nKey runtime evidence from the final verified run:\n\n```text\nEndpoint: POST http://127.0.0.1:36179/wp-admin/admin-ajax.php\nAction: wprp_load_more_revs\nNonce source: public page rendering [wprevpro_usetemplate tid=\"1\"]\n\nVulnerable timings:\n  normal notinstring=1,2,3: 0.106269s\n  SLEEP(5) attempt 1: 5.028141s\n  SLEEP(5) attempt 2: 5.018714s\n  SLEEP(3): 3.017385s\n  conditional user_login first char == 'a': 3.016486s\n  conditional user_login first char == 'x': 0.015544s\n\nFixed patched-product timings:\n  SLEEP(5) warmup after patch (ignored): 0.046941s\n  SLEEP(5) attempt 1: 0.016054s\n  SLEEP(5) attempt 2: 0.015599s\n  normal: 0.016293s\n```\n\nThe runtime manifest records `entrypoint_kind=\"api_remote\"`, `service_started=true`, `healthcheck_passed=true`, and `target_path_reached=true`.\n\n## Recommendations / Next Steps\n\n- Update WP Review Slider Pro to version 12.7.3 or later.\n- Apply integer allow-listing/casting to every numeric `IN`/`NOT IN` list built from request data; using `array_map('absint', ...)` is appropriate for review ID lists.\n- Prefer `$wpdb->prepare()` for all dynamic SQL, and avoid concatenating request-controlled strings into SQL fragments.\n- Add regression tests for `wprp_load_more_revs` with malicious `notinstring` values such as `1) OR (SELECT SLEEP(5))#`, verifying the resulting query contains only numeric IDs and has no timing delay.\n- Audit related AJAX handlers in the same plugin for similar array/CSV-to-SQL concatenation patterns.\n\n## Additional Notes\n\n- The script was run successfully twice consecutively after fixes, confirming idempotency in a clean runtime directory under `bundle/artifacts/runtime`.\n- The ticket text abbreviates the affected parameter as `noti`; the real WP Review Slider Pro code and public advisories identify the consumed parameter as `notinstring`. The reproduction includes the `noti` field in requests for traceability, but the genuine plugin's vulnerable sink is `$_POST['notinstring']`.\n- The fixed control is a line-accurate local patch to the same genuine product file because a public vendor git commit was not available for the commercial plugin.\n","cve_id":"CVE-2026-8441","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8441","reproduced_at":"2026-07-06T08:22:36.448321+00:00","duration_secs":2520.0,"tool_calls":309,"handoffs":3,"total_cost_usd":15.943360689999995,"agent_costs":{"judge":0.0434506,"repro":13.075754229999994,"support":0.08531286,"vuln_variant":2.7388429999999997},"cost_breakdown":{"judge":{"gpt-5.4-mini":0.0434506},"repro":{"accounts/fireworks/routers/glm-5p2-fast":2.3535042300000004,"gpt-5.5":10.722249999999994},"support":{"accounts/fireworks/routers/glm-5p2-fast":0.08531286},"vuln_variant":{"gpt-5.5":2.7388429999999997}},"quality":{"confidence":"high","idempotent_verified":false,"community_verifications":0},"environment":{"sandbox_image":"ghcr.io/n3mes1s/pruva-sandbox@sha256:8096b2518d6022e13d68f885c3b8ded6b4fe607098b1a1ccbfb99abc004d1dc1"},"published_at":"2026-07-06T08:23:02.150809+00:00","retracted":false,"artifacts":[{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":24656,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":8595,"category":"analysis"},{"path":"bundle/vuln_variant/reproduction_steps.sh","filename":"reproduction_steps.sh","size":26212,"category":"reproduction_script"},{"path":"bundle/vuln_variant/rca_report.md","filename":"rca_report.md","size":10523,"category":"analysis"},{"path":"bundle/vuln_variant/root_cause_equivalence.json","filename":"root_cause_equivalence.json","size":1262,"category":"other"},{"path":"bundle/logs/evidence.log","filename":"evidence.log","size":1259,"category":"log"},{"path":"bundle/repro/runtime_manifest.json","filename":"runtime_manifest.json","size":1351,"category":"other"},{"path":"bundle/repro/validation_verdict.json","filename":"validation_verdict.json","size":792,"category":"other"},{"path":"bundle/logs/reproduction_steps.log","filename":"reproduction_steps.log","size":7397,"category":"log"},{"path":"bundle/logs/plugin_source_identity.log","filename":"plugin_source_identity.log","size":2494,"category":"log"},{"path":"bundle/logs/real_notinstring_patch.diff","filename":"real_notinstring_patch.diff","size":1041,"category":"other"},{"path":"bundle/vuln_variant/patch_analysis.md","filename":"patch_analysis.md","size":6262,"category":"documentation"},{"path":"bundle/vuln_variant/variant_manifest.json","filename":"variant_manifest.json","size":3754,"category":"other"},{"path":"bundle/vuln_variant/validation_verdict.json","filename":"validation_verdict.json","size":3208,"category":"other"},{"path":"bundle/logs/vuln_variant/variant_evidence.log","filename":"variant_evidence.log","size":1173,"category":"log"},{"path":"bundle/vuln_variant/runtime_manifest.json","filename":"runtime_manifest.json","size":1384,"category":"other"},{"path":"bundle/logs/vuln_variant/reproduction_steps.log","filename":"reproduction_steps.log","size":10854,"category":"log"},{"path":"bundle/logs/vuln_variant/variant_plugin_source_identity.log","filename":"variant_plugin_source_identity.log","size":5247,"category":"log"},{"path":"bundle/logs/vuln_variant/variant_notinstring_patch.diff","filename":"variant_notinstring_patch.diff","size":1110,"category":"other"},{"path":"bundle/logs/vuln_variant/fixed_version.txt","filename":"fixed_version.txt","size":326,"category":"other"},{"path":"bundle/vuln_variant/artifacts/variant_timing_summary.json","filename":"variant_timing_summary.json","size":500,"category":"other"},{"path":"bundle/vuln_variant/artifacts/candidate_matrix.json","filename":"candidate_matrix.json","size":756,"category":"other"},{"path":"bundle/vuln_variant/artifacts/fixed_original_notinstring_sleep_response.json","filename":"fixed_original_notinstring_sleep_response.json","size":1524,"category":"other"},{"path":"bundle/vuln_variant/artifacts/fixed_textsource_sleep_response.json","filename":"fixed_textsource_sleep_response.json","size":448,"category":"other"},{"path":"bundle/vuln_variant/artifacts/fixed_textsearch_sleep_response.json","filename":"fixed_textsearch_sleep_response.json","size":750,"category":"other"},{"path":"bundle/vuln_variant/artifacts/fixed_textlang_sleep_response.json","filename":"fixed_textlang_sleep_response.json","size":473,"category":"other"},{"path":"bundle/vuln_variant/artifacts/fixed_textrtype_sleep_response.json","filename":"fixed_textrtype_sleep_response.json","size":467,"category":"other"},{"path":"bundle/vuln_variant/artifacts/fixed_shortcodepageid_sleep_response.json","filename":"fixed_shortcodepageid_sleep_response.json","size":477,"category":"other"}]}