An authenticated SQL injection vulnerability in the WP Review Slider Pro plugin could allow attackers to extract sensitive data from the WordPress database.

This is an SQL injection vulnerability located within the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action. The flaw is exploitable by authenticated attackers with subscriber-level access or higher, who can append malicious SQL queries to the existing database operations.

Successful exploitation allows an attacker to bypass standard database queries to access or exfiltrate unauthorized information from the WordPress site's backend. With a CVSS score of 8.8, this high-severity vulnerability poses a significant risk to data confidentiality, potentially exposing user credentials, configurations, or personal identifiable information (PII) stored within the database.

Immediate Action: Review the vendor advisory and update the WP Review Slider Pro plugin to the latest available version immediately.

Proactive Monitoring: Monitor database query logs for unusual syntax or high volumes of queries originating from the wpfb_find_reviews action.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to inspect and block malicious SQL injection patterns within incoming POST requests to AJAX endpoints.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the ease with which sensitive information can be extracted, administrators must prioritize patching this plugin. If an update is not immediately available or possible, consider disabling the plugin functionality until a secure version is deployed to mitigate the risk of data compromise.