Platform
wordpress
Component
reviewx
Fixed in
2.2.13
CVE-2025-10679 describes a Remote Code Execution (RCE) vulnerability within the ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema plugin for WordPress. This flaw stems from inadequate input validation, enabling attackers to execute arbitrary PHP code. The vulnerability impacts versions 0.0.0 through 2.2.12, and a patch is available in version 2.3.0.
An unauthenticated attacker can exploit this vulnerability by crafting a malicious request that bypasses input validation in the bulkTenReviews function. This allows them to directly call arbitrary PHP class methods, potentially leading to information disclosure or, more critically, remote code execution on the WordPress server. Successful exploitation could grant an attacker complete control over the affected website, allowing them to modify content, install malware, or steal sensitive data. The impact is particularly severe given the plugin's function of managing product reviews, which often contain customer data and potentially sensitive business information.
This vulnerability was publicly disclosed on 2026-03-23. As of this date, there are no publicly available Proof-of-Concept (PoC) exploits. The CVSS score of 7.3 (HIGH) indicates a significant risk. It is not currently listed on CISA KEV, but its RCE nature warrants close monitoring. Active exploitation is not confirmed, but the ease of exploitation, if a PoC is released, could lead to rapid adoption by malicious actors.
Exploit Status
EPSS
0.18% (40% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the ReviewX plugin to version 2.3.0 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting access to the bulkTenReviews endpoint or implementing stricter input validation on the server-side. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious patterns targeting this function. Monitor WordPress logs for unusual activity or attempts to access the vulnerable endpoint.
Update to version 2.3.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10679 is a Remote Code Execution vulnerability in the ReviewX plugin for WordPress, allowing attackers to potentially execute arbitrary code due to insufficient input validation.
You are affected if you are using ReviewX plugin versions 0.0.0 through 2.2.12. Upgrade to 2.3.0 or later to resolve the vulnerability.
Upgrade the ReviewX plugin to version 2.3.0 or later. As a temporary workaround, restrict access to the bulkTenReviews endpoint or implement stricter input validation.
As of the current date, there is no confirmed active exploitation of CVE-2025-10679, but the potential for exploitation exists.
Refer to the official ReviewX plugin documentation and website for the latest security advisory regarding CVE-2025-10679.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.