Login Sign Up

CVE-2025-12510

7.2 HIGH
Cross-Site Scripting

📋 TL;DR

The Widgets for Google Reviews WordPress plugin has a stored XSS vulnerability that allows unauthenticated attackers to inject malicious scripts into Google Reviews data. When administrators view imported reviews in the admin panel, these scripts execute, potentially compromising admin accounts. All WordPress sites using this plugin up to version 13.2.4 are affected.

💻 Affected Systems

Products:
  • Widgets for Google Reviews WordPress plugin
Versions: All versions up to and including 13.2.4
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires the plugin to be actively importing Google Reviews data. Sites not using Google Reviews import feature may still be vulnerable if the feature is enabled.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to WordPress sites, install backdoors, steal sensitive data, deface websites, or pivot to internal networks.

🟠

Likely Case

Attackers hijack admin sessions, modify site content, install malicious plugins/themes, or redirect visitors to phishing sites.

🟢

If Mitigated

With proper input validation and output escaping, scripts are neutralized and displayed as harmless text rather than executed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires attackers to post malicious reviews to Google Places linked to vulnerable sites, which is publicly accessible. The XSS payload then executes when admins view reviews.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.2.5

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3399469/wp-reviews-plugin-for-google/trunk/trustindex-plugin.class.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Widgets for Google Reviews'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 13.2.5+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable Google Reviews Import

all

Temporarily disable the Google Reviews import feature to prevent malicious reviews from being processed.

Remove Plugin

linux

Completely remove the vulnerable plugin until patched version can be installed.

wp plugin deactivate wp-reviews-plugin-for-google
wp plugin delete wp-reviews-plugin-for-google

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
  • Restrict admin panel access to specific IP addresses using .htaccess or firewall rules.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Widgets for Google Reviews' version 13.2.4 or lower.

Check Version:

wp plugin get wp-reviews-plugin-for-google --field=version

Verify Fix Applied:

Confirm plugin version is 13.2.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual admin panel activity from unexpected IPs
  • Multiple failed login attempts followed by successful admin login
  • Suspicious JavaScript in WordPress database or review data

Network Indicators:

  • Outbound connections to suspicious domains from WordPress server
  • Unexpected admin panel requests containing script tags

SIEM Query:

source="wordpress.log" AND ("wp-reviews-plugin-for-google" OR "trustindex-plugin") AND ("script" OR "onerror" OR "javascript:")

📊 Metadata

CVE ID: CVE-2025-12510
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.17% exploit probability (38.7th percentile)
Published: December 6, 2025
Last Updated: December 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12510, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)