CVE-2026-15651 in WP TripAdvisor Review Slider Plugininfo

Summary

by MITRE • 07/16/2026

The WP TripAdvisor Review Slider plugin for WordPress is vulnerable to generic SQL Injection via the 'filtersource' parameter in all versions up to, and including, 14.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The WP TripAdvisor Review Slider plugin for WordPress presents a critical security vulnerability classified as generic SQL Injection affecting all versions through 14.6. This flaw resides in the 'filtersource' parameter handling within the plugin's codebase, demonstrating a fundamental failure in input validation and sanitization practices. The vulnerability stems from insufficient escaping of user-supplied parameters combined with inadequate preparation of existing SQL queries, creating an exploitable condition that allows malicious actors to manipulate database operations through crafted input.

The technical implementation of this vulnerability occurs when authenticated attackers with administrator-level privileges or higher submit malicious input through the 'filtersource' parameter. The plugin fails to properly escape or sanitize this parameter before incorporating it into SQL queries, enabling attackers to inject additional SQL commands that become part of existing database operations. This represents a classic SQL injection vector where the attacker can manipulate the execution flow of database queries and potentially extract sensitive information from the underlying database system.

From an operational perspective, this vulnerability poses significant risk to WordPress installations utilizing the affected plugin version. The requirement for administrator-level access means that attackers must already have compromised administrative credentials or exploited other vulnerabilities to reach this point, but once achieved, the impact is severe. Attackers can leverage this vulnerability to extract user credentials, configuration data, and other sensitive information stored in the database, potentially leading to complete system compromise and unauthorized access to all WordPress functionalities.

The security implications extend beyond simple data extraction, as this vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws in software applications. The ATT&CK framework categorizes this as a Database Query Injection technique where adversaries manipulate database queries through input validation bypasses. Organizations using this plugin should immediately implement mitigations including updating to the latest version, implementing proper parameterized queries, and conducting thorough security reviews of all plugin code. Additionally, network segmentation and privileged access controls should be enforced to limit potential impact even if such vulnerabilities are exploited.

Mitigation strategies must include immediate patching of the WP TripAdvisor Review Slider plugin to the latest secure version, implementation of proper input validation routines that prevent malicious SQL fragments from being executed, and deployment of web application firewalls to detect and block suspicious database query patterns. Regular security auditing of WordPress plugins and themes remains essential as this vulnerability demonstrates how seemingly minor input handling flaws can create significant security risks in content management systems.

Responsible

Wordfence

Reservation

07/13/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!