[17:05:02] === CVE-2026-8441 real-product reproduction === [17:05:02] Bundle root: /data/pruva/runs/52897a84-76e4-425d-abf6-ea2f2eb78fb0/bundle [17:05:02] === Phase 1: Install runtime dependencies === [17:05:02] PHP: PHP 8.5.4 (cli) (built: May 25 2026 12:19:37) (NTS) [17:05:02] MariaDB: mariadbd Ver 11.8.6-MariaDB-5 from Ubuntu for debian-linux-gnu on x86_64 (-- Please help get to 10k stars at https://github.com/MariaDB/Server) [17:05:02] === Phase 2: Verify bundled genuine WP Review Slider Pro source === sha256 7f6092f4ea58b5c5c0dba72ba014b9395bf9608f9aeeb95206e80dc14f0b17e5 /data/pruva/runs/52897a84-76e4-425d-abf6-ea2f2eb78fb0/bundle/repro/vendor/wp-review-slider-pro_v12.6.7.zip --- Plugin header from bundled real product zip --- * @wordpress-plugin * Plugin Name: WP Review Slider Pro (Premium) * Plugin URI: https://wpreviewslider.com/ * Description: Pro Version - Allows you to easily display your Facebook Page, Yelp, Google, Manually Input, and 80+ other site reviews in your Posts, Pages, and Widget areas. * Version: 12.6.7 * Update URI: https://api.freemius.com * Author: LJ Apps * Author URI: http://ljapps.com/ --- Vulnerable notinstring construction in real product source --- 28 if($totaltoget>0){ 29 //this must be load more click 30 $totaltoget = $totaltoget + 1; //testing to see if we need to show the load more btn again. 31 $tablelimit = $totaltoget; 32 //add a not in statement after $sortdir if we are rand search ex: AND book_price NOT IN (100,200) 33 if($notinstring!=''){ 34 //explode implode for safety 35 $tempnotinarray = explode(",",$notinstring); 36 if(is_array($tempnotinarray)){ 37 $notinstring = implode(",",$tempnotinarray); 38 $notinsearchstring = " AND id NOT IN (".$notinstring.") "; 39 } 40 } 41 $tablelimit = $startoffset.",".$totaltoget; 42 --- Real unauthenticated AJAX handler source --- 2360 */ 2361 public function wppro_loadmore_revs_ajax(){ 2362 //ini_set('display_errors',1); 2363 //error_reporting(E_ALL); 2364 2365 global $wpdb; 2366 $table_name = $wpdb->prefix . 'wpfb_post_templates'; 2367 2368 check_ajax_referer('randomnoncestring', 'wpfb_nonce'); 2369 $templateid = intval(sanitize_text_field($_POST['revid'])); 2370 $perrow = intval(sanitize_text_field($_POST['perrow'])); 2371 $nrows = intval(sanitize_text_field($_POST['nrows'])); 2372 $callnum = intval(sanitize_text_field($_POST['callnum'])); 2373 $notinstring = sanitize_text_field($_POST['notinstring']); 2374 $onereview = sanitize_text_field($_POST['onereview']); 2375 $shortcodepageid = sanitize_text_field($_POST['shortcodepageid']); 2376 $shortcodelang = sanitize_text_field($_POST['shortcodelang']); 2377 $shortcodetag = sanitize_text_field($_POST['shortcodetag']); 2378 $cpostid = sanitize_text_field($_POST['cpostid']); [17:05:02] === Phase 3: Start MariaDB === [17:05:09] MariaDB ready on 127.0.0.1:59107 (PID 222584) [17:05:09] === Phase 4: Install WordPress and the genuine plugin === name,status,version akismet,inactive,5.3.5 hello,inactive,1.7.2 wp-review-slider-pro,active,12.6.7 [17:05:13] === Phase 5: Seed the real plugin tables with reviews and a load-more template === seeded_template_id=1 seeded_page_id=4 review_count=8 [17:05:13] === Phase 6: Start WordPress HTTP service === [17:05:15] WordPress service healthy on http://127.0.0.1:36179/wp-admin/admin-ajax.php; extracted public nonce d262960692 [17:05:15] === Phase 7: Exercise the vulnerable real-product admin-ajax.php path === [17:05:15] Vulnerable normal request: 0.106269s [17:05:21] Vulnerable SLEEP(5) attempt 1: 5.028141s [17:05:26] Vulnerable SLEEP(5) attempt 2: 5.018714s [17:05:29] Vulnerable SLEEP(3): 3.017385s [17:05:32] Vulnerable conditional extraction (admin first char == 'a'): 3.016486s [17:05:32] Vulnerable negative conditional extraction (admin first char == 'x'): 0.015544s [17:05:32] === Phase 8: Apply a line-accurate fixed patch to the real plugin file === --- /data/pruva/runs/52897a84-76e4-425d-abf6-ea2f2eb78fb0/bundle/artifacts/getreviews_class.vulnerable.php 2026-07-05 17:05:32.251641242 +0000 +++ /data/pruva/runs/52897a84-76e4-425d-abf6-ea2f2eb78fb0/bundle/artifacts/getreviews_class.fixed.php 2026-07-05 17:05:32.261640873 +0000 @@ -32,7 +32,8 @@ //add a not in statement after $sortdir if we are rand search ex: AND book_price NOT IN (100,200) if($notinstring!=''){ //explode implode for safety - $tempnotinarray = explode(",",$notinstring); + // CVE-2026-8441 fix: only integer review IDs may enter the numeric NOT IN clause. + $tempnotinarray = array_filter(array_map('absint', explode(",", $notinstring))); if(is_array($tempnotinarray)){ $notinstring = implode(",",$tempnotinarray); $notinsearchstring = " AND id NOT IN (".$notinstring.") "; No syntax errors detected in /data/pruva/runs/52897a84-76e4-425d-abf6-ea2f2eb78fb0/bundle/artifacts/runtime/wordpress/wp-content/plugins/wp-review-slider-pro/public/partials/getreviews_class.php [17:05:33] === Phase 9: Exercise the fixed product path over the same HTTP endpoint === [17:05:33] Fixed SLEEP(5) warmup after patch (not used for verdict; clears any stale opcode): 0.046941s [17:05:33] Fixed SLEEP(5) attempt 1: 0.016054s [17:05:33] Fixed SLEEP(5) attempt 2: 0.015599s [17:05:33] Fixed normal request: 0.016293s { "vuln_normal": 0.106269, "vuln_sleep5_attempt1": 5.028141, "vuln_sleep5_attempt2": 5.018714, "vuln_sleep3": 3.017385, "vuln_data_true": 3.016486, "vuln_data_false": 0.015544, "fixed_sleep5_warmup": 0.046941, "fixed_sleep5_attempt1": 0.016054, "fixed_sleep5_attempt2": 0.015599, "fixed_normal": 0.016293, "thresholds": { "sleep5_min_seconds": 4.5, "sleep3_min_seconds": 2.5, "fast_max_seconds": 1.5, "normal_max_seconds": 1.5 }, "confirmed": true } CVE-2026-8441 evidence from genuine WP Review Slider Pro code path Product source: bundled wp-review-slider-pro_v12.6.7.zip Product SHA256: 7f6092f4ea58b5c5c0dba72ba014b9395bf9608f9aeeb95206e80dc14f0b17e5 Plugin header: WP Review Slider Pro (Premium), Version 12.6.7 Endpoint: POST http://127.0.0.1:36179/wp-admin/admin-ajax.php Action: wprp_load_more_revs Nonce source: public page http://127.0.0.1:36179/?p=4 rendering [wprevpro_usetemplate tid="1"] Vulnerable timings: normal notinstring=1,2,3: 0.106269s SLEEP(5) attempt 1: 5.028141s SLEEP(5) attempt 2: 5.018714s SLEEP(3): 3.017385s conditional user_login first char == 'a': 3.016486s conditional user_login first char == 'x': 0.015544s Fixed patched-product timings: SLEEP(5) warmup after patch (ignored): 0.046941s SLEEP(5) attempt 1: 0.016054s SLEEP(5) attempt 2: 0.015599s normal: 0.016293s The vulnerable delays occur only before the real plugin's public/partials/getreviews_class.php notinstring hunk is patched to cast CSV values with absint(). The HTTP request enters WordPress admin-ajax.php, passes the plugin nonce check, reaches WP_Review_Pro_Public::wppro_loadmore_revs_ajax(), and executes GetReviews_Functions::wppro_queryreviews() from the genuine product source. [17:05:33] RESULT: CONFIRMED - real WP Review Slider Pro code path is SQL injectable before the line-accurate patch and fast after patch.