Overview
A critical security vulnerability, identified as CVE-2025-12510, has been discovered in the “Widgets for Google Reviews” WordPress plugin. This vulnerability is a Stored Cross-Site Scripting (XSS) flaw affecting all versions up to and including 13.2.4. This allows unauthenticated attackers to inject malicious JavaScript code into the admin panel and potentially the frontend of affected websites.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping of Google Reviews data imported by the plugin. Specifically, the plugin fails to properly sanitize user-supplied data when fetching reviews from Google Places. An attacker who can add a malicious review to a Google Place connected to the vulnerable WordPress site can inject arbitrary web scripts.
The vulnerable code can be seen in the following files:
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12510 is 7.2, indicating a HIGH severity vulnerability. This score reflects the potential for significant impact and exploitability. Key factors contributing to this score include:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required (Admin access to view reviews)
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Possible Impact
Successful exploitation of this Stored XSS vulnerability can have severe consequences:
- Account Takeover: An attacker can potentially hijack administrator accounts by injecting malicious JavaScript code that steals credentials or creates new administrative users.
- Website Defacement: The attacker can modify the website’s content, inject spam, or redirect users to malicious websites.
- Data Theft: Sensitive data stored within the WordPress database could be accessed and exfiltrated.
- Malware Distribution: The attacker can use the compromised website to distribute malware to visitors.
Mitigation and Patch Steps
To mitigate the risk associated with CVE-2025-12510, it is crucial to take the following steps:
- Update the Plugin: Immediately update the “Widgets for Google Reviews” plugin to the latest available version. The vendor has released a patch to address this vulnerability, as seen in this commit.
- Monitor Google Reviews: Be vigilant about the content of Google Reviews associated with your connected Google Places. Look for unusual characters or code snippets.
- Web Application Firewall (WAF): Consider implementing a Web Application Firewall (WAF) to help detect and block malicious requests.
- Security Audits: Regularly perform security audits of your WordPress website and plugins to identify and address potential vulnerabilities.