CVE-2025-31886
📋 TL;DR
This CVE describes a missing authorization vulnerability in the Repuso Social Proof Testimonials and Reviews WordPress plugin that allows attackers to exploit incorrectly configured access controls. Attackers can perform unauthorized actions that should require proper authentication. This affects all WordPress sites using the plugin from any version up to 5.21.
💻 Affected Systems
- Social proof testimonials and reviews by Repuso
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify or delete testimonials/reviews, potentially altering site content or reputation, or access administrative functions if other vulnerabilities are chained.
Likely Case
Unauthorized users can manipulate testimonial content, potentially posting fake reviews or removing legitimate ones, affecting business credibility.
If Mitigated
With proper access controls and authentication checks, only authorized users can manage testimonials, limiting impact to intended functionality.
🎯 Exploit Status
Broken access control vulnerabilities typically require minimal technical skill to exploit once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.22 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Social proof testimonials and reviews by Repuso'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.22+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched version can be installed
Restrict plugin access via .htaccess
linuxAdd access restrictions to plugin directories
# Add to .htaccess in plugin directory
Order Deny,Allow
Deny from all
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block unauthorized access to plugin endpoints
- Monitor and audit all testimonial/review modifications for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Social proof testimonials and reviews by Repuso' version 5.21 or lowerCheck Version:
wp plugin list --name='social-proof-testimonials-and-reviews-by-repuso' --field=versionVerify Fix Applied:
Verify plugin version is 5.22 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST/PUT requests to plugin endpoints
- Testimonial modifications from unauthenticated users
- 403/401 errors followed by successful 200 responses
Network Indicators:
- Unusual traffic patterns to /wp-content/plugins/social-proof-testimonials-and-reviews-by-repuso/ endpoints
- Requests bypassing authentication to testimonial management functions
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "repuso") AND (response_code=200 AND user_agent NOT CONTAINS "admin")