Widgets for Google Reviews < 13.2.5 – Unauthenticated Stored XSS via Google Reviews | CVE 2025-12510 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on Google Reviews data imported by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute in the admin panel (and potentially on the frontend) whenever a user accesses imported reviews, granted they can add a malicious review to a Google Place that is connected to the vulnerable site.

Affects Plugins

wp-reviews-plugin-for-google

Fixed in 13.2.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7adf3335-ed13-43f4-a5f3-05e89be44d2d

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Kishan Vyas

Verified

No

WPVDB ID

fb516820-2a39-4896-9cff-e01f5be8716a

Timeline

Publicly Published

2025-12-05 (about 5 months ago)

Added

2025-12-08 (about 5 months ago)

Last Updated

2025-12-08 (about 5 months ago)

Other

Published

Title

Published

2026-04-07

Title

Elementor Website Builder < 3.35.6 - Contributor+ Stored XSS via REST API

Published

2025-05-20

Title

WP Post Modules for Elementor <= 2.5.0 - Reflected Cross-Site Scripting

Published

2025-08-26

Title

Golo < 1.7.2 - Reflected Cross-Site Scripting

Published

2020-08-31

Title

Subscribe Sidebar <= 1.3.1 - Authenticated Reflected Cross-Site Scripting

Published

2025-01-16

Title

Event Countdown Timer Plugin by TechMix <= 1.4 - Reflected Cross-Site Scripting