{
  "variant_id": "CVE-2026-8441-negative-variant-search-20260705",
  "created_at": "2026-07-05T17:13:10Z",
  "variant_summary": "Bounded variant search for WP Review Slider Pro SQL injection found no distinct bypass. The parent notinstring payload reproduces before the integer-casting patch and is blocked after it; alternate public fields reaching the same review-query construction were tested and remained fast.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://wpreviewslider.com//WP Review Slider Pro",
  "submitted_target": {
    "target_kind": "commercial_wordpress_plugin_zip",
    "version": "12.6.7",
    "display": "WP Review Slider Pro (Premium) 12.6.7 bundled source zip sha256 7f6092f4ea58b5c5c0dba72ba014b9395bf9608f9aeeb95206e80dc14f0b17e5"
  },
  "variant_target": {
    "target_kind": "patched_control",
    "version": "12.6.7+notinstring-absint-control",
    "display": "WP Review Slider Pro 12.6.7 with line-accurate notinstring absint patch; official 12.7.3 source unavailable"
  },
  "same_root_cause_confidence": 0.72,
  "same_surface_confidence": 0.95,
  "claimed_surface": "Unauthenticated WordPress admin-ajax.php action=wprp_load_more_revs SQL injection",
  "validated_surface": "Original notinstring SQL injection validated before patch and blocked after patch; no alternate public-field bypass validated",
  "required_entrypoint_kind": "api_remote",
  "required_entrypoint_detail": "POST /wp-admin/admin-ajax.php with action=wprp_load_more_revs and a public frontend wpfb_nonce",
  "attacker_controlled_input": "Original: notinstring/noti. Variant candidates tested: textsource, textsearch, textlang, textrtype, shortcodepageid.",
  "trigger_path": "WP_Review_Pro_Public::wppro_loadmore_revs_ajax() -> GetReviews_Functions::wppro_queryreviews() -> wp_wpfb_reviews SELECT via $wpdb->get_results()",
  "observed_impact_class": "none_for_variant",
  "exploitability_confidence": 0.0,
  "evidence_scope": "runtime_negative_variant_search",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "No tested distinct candidate produced SQL timing delay on the fixed control.",
  "blocking_mitigation": "The notinstring integer-casting patch blocks the parent unquoted numeric NOT IN injection; tested string-filter candidates remained escaped/fast.",
  "file_path": "public/partials/getreviews_class.php",
  "line_start": 35,
  "line_end": 38,
  "secondary_anchors": [
    {
      "file_path": "public/class-wp-review-slider-pro-public.php",
      "line_start": 2361,
      "line_end": 2500
    },
    {
      "file_path": "includes/class-wp-review-slider-pro.php",
      "line_start": 1558,
      "line_end": 1559
    },
    {
      "file_path": "public/partials/getreviews_class.php",
      "line_start": 63,
      "line_end": 70
    },
    {
      "file_path": "public/partials/getreviews_class.php",
      "line_start": 493,
      "line_end": 499
    },
    {
      "file_path": "public/partials/getreviews_class.php",
      "line_start": 694,
      "line_end": 706
    }
  ],
  "review_scope_paths": [
    "public/partials/getreviews_class.php",
    "public/class-wp-review-slider-pro-public.php",
    "includes/class-wp-review-slider-pro.php"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}