A high-severity SQL injection vulnerability in the WP Review Slider Pro plugin allows authenticated attackers with subscriber-level access to extract sensitive information from the database.

The vulnerability exists in the wppro_get_overall_chart_data AJAX action, where user-supplied input is improperly processed using stripslashes() before being passed to a database query. This allows an authenticated attacker to manipulate SQL queries and exfiltrate database contents.

With a CVSS score of 8.8, this vulnerability poses a severe threat to data confidentiality. An attacker can bypass application logic to extract sensitive customer or system data, potentially leading to a complete breach of the WordPress database and significant regulatory/compliance implications.

Immediate Action: Update the WP Review Slider Pro plugin to a version greater than 12.6.8 immediately.

Proactive Monitoring: Review database query logs for suspicious patterns or unexpected syntax that may indicate SQL injection attempts.

Compensating Controls: Enable a WAF to inspect incoming AJAX requests for SQL injection signatures and restrict database permissions for the WordPress user to the minimum required level.

Public Exploit Available: true

Given the availability of a public exploit and the high severity of SQL injection, organizations using this plugin must update immediately. Failure to do so leaves the database exposed to trivial data exfiltration by any authenticated user.