CVE-2026-8441 evidence from genuine WP Review Slider Pro code path Product source: bundled wp-review-slider-pro_v12.6.7.zip Product SHA256: 7f6092f4ea58b5c5c0dba72ba014b9395bf9608f9aeeb95206e80dc14f0b17e5 Plugin header: WP Review Slider Pro (Premium), Version 12.6.7 Endpoint: POST http://127.0.0.1:36179/wp-admin/admin-ajax.php Action: wprp_load_more_revs Nonce source: public page http://127.0.0.1:36179/?p=4 rendering [wprevpro_usetemplate tid="1"] Vulnerable timings: normal notinstring=1,2,3: 0.106269s SLEEP(5) attempt 1: 5.028141s SLEEP(5) attempt 2: 5.018714s SLEEP(3): 3.017385s conditional user_login first char == 'a': 3.016486s conditional user_login first char == 'x': 0.015544s Fixed patched-product timings: SLEEP(5) warmup after patch (ignored): 0.046941s SLEEP(5) attempt 1: 0.016054s SLEEP(5) attempt 2: 0.015599s normal: 0.016293s The vulnerable delays occur only before the real plugin's public/partials/getreviews_class.php notinstring hunk is patched to cast CSV values with absint(). The HTTP request enters WordPress admin-ajax.php, passes the plugin nonce check, reaches WP_Review_Pro_Public::wppro_loadmore_revs_ajax(), and executes GetReviews_Functions::wppro_queryreviews() from the genuine product source.