プラットフォーム
wordpress
コンポーネント
reviewx
修正版
2.2.13
CVE-2025-10679 describes a Remote Code Execution (RCE) vulnerability within the ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema plugin for WordPress. This flaw stems from inadequate input validation, enabling attackers to execute arbitrary PHP code. The vulnerability impacts versions 0.0.0 through 2.2.12, and a patch is available in version 2.3.0.
An unauthenticated attacker can exploit this vulnerability by crafting a malicious request that bypasses input validation in the bulkTenReviews function. This allows them to directly call arbitrary PHP class methods, potentially leading to information disclosure or, more critically, remote code execution on the WordPress server. Successful exploitation could grant an attacker complete control over the affected website, allowing them to modify content, install malware, or steal sensitive data. The impact is particularly severe given the plugin's function of managing product reviews, which often contain customer data and potentially sensitive business information.
This vulnerability was publicly disclosed on 2026-03-23. As of this date, there are no publicly available Proof-of-Concept (PoC) exploits. The CVSS score of 7.3 (HIGH) indicates a significant risk. It is not currently listed on CISA KEV, but its RCE nature warrants close monitoring. Active exploitation is not confirmed, but the ease of exploitation, if a PoC is released, could lead to rapid adoption by malicious actors.
Websites utilizing the ReviewX plugin for WooCommerce, particularly those running older versions (0.0.0–2.2.12), are at significant risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress: Use wp-cli to check the installed plugin version:
wp plugin list | grep ReviewX• wordpress: Search plugin files for the bulkTenReviews function and any instances of user-controlled data being passed directly to a function call.
• generic web: Monitor access logs for requests to the bulkTenReviews endpoint with unusual parameters. Look for patterns indicative of attempted method calls.
disclosure
エクスプロイト状況
EPSS
0.18% (40% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to immediately upgrade the ReviewX plugin to version 2.3.0 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting access to the bulkTenReviews endpoint or implementing stricter input validation on the server-side. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious patterns targeting this function. Monitor WordPress logs for unusual activity or attempts to access the vulnerable endpoint.
バージョン 2.3.0、またはそれ以降の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-10679 is a Remote Code Execution vulnerability in the ReviewX plugin for WordPress, allowing attackers to potentially execute arbitrary code due to insufficient input validation.
You are affected if you are using ReviewX plugin versions 0.0.0 through 2.2.12. Upgrade to 2.3.0 or later to resolve the vulnerability.
Upgrade the ReviewX plugin to version 2.3.0 or later. As a temporary workaround, restrict access to the bulkTenReviews endpoint or implement stricter input validation.
As of the current date, there is no confirmed active exploitation of CVE-2025-10679, but the potential for exploitation exists.
Refer to the official ReviewX plugin documentation and website for the latest security advisory regarding CVE-2025-10679.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。