CVE-2026-8441 variant search evidence Product source: bundled wp-review-slider-pro_v12.6.7.zip Product SHA256: 7f6092f4ea58b5c5c0dba72ba014b9395bf9608f9aeeb95206e80dc14f0b17e5 Endpoint: POST http://127.0.0.1:55507/wp-admin/admin-ajax.php Action: wprp_load_more_revs Nonce source: public page http://127.0.0.1:55507/?p=4 rendering [wprevpro_usetemplate tid="1"] Fixed control: same 12.6.7 source with only the original notinstring fix applied. Original vulnerable/fixed-control check: vulnerable notinstring SLEEP(3): 3.109833s fixed-control notinstring SLEEP(3): 0.044909s Distinct candidates tested after notinstring patch: textsource SLEEP(3) payload: 0.015890s textsearch SLEEP(3) payload: 0.015887s textlang SLEEP(3) payload: 0.015000s textrtype SLEEP(3) payload: 0.016840s shortcodepageid SLEEP(3) payload: 0.014518s Result: no candidate produced a timing delay on the fixed control. Response dbcall fields show injected quotes are escaped (backslash-quoted) where string-filter candidates are concatenated, while the numeric notinstring payload is neutralized by the integer-casting patch. This is a negative variant result, not a confirmed bypass.