CVE-2025-7327 – The Widget for Google Reviews WordPress plugin ... (How to Fix)

Q: What is the severity of CVE-2025-7327?

CVE-2025-7327 has a CVSS score of 8.8 (HIGH). The Widget for Google Reviews WordPress plugin contains a directory traversal vulnerability that allows authenticated attackers with Subscriber-level access or higher to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and access control bypass. All WordPress sites using this plugin up to version 1.0.15 are affected.

📋 TL;DR

The Widget for Google Reviews WordPress plugin contains a directory traversal vulnerability that allows authenticated attackers with Subscriber-level access or higher to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and access control bypass. All WordPress sites using this plugin up to version 1.0.15 are affected.

💻 Affected Systems

Products:

Widget for Google Reviews WordPress plugin

Versions: All versions up to and including 1.0.15

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with at least Subscriber role. Only affects PHP file inclusion.

📦 What is this software?

Widget For Google Reviews by Radiustheme

View all CVEs affecting Widget For Google Reviews →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through arbitrary PHP code execution, leading to data exfiltration, backdoor installation, and lateral movement within the network.

🟠

Likely Case

Unauthorized access to sensitive files, privilege escalation, and installation of web shells for persistent access.

🟢

If Mitigated

Limited impact if proper file permissions and web application firewalls are in place, though some information disclosure may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.16 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3316262%40business-reviews-wp%2Ftrunk&old=3201057%40business-reviews-wp%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Widget for Google Reviews' and click 'Update Now'. 4. Verify version is 1.0.16 or higher.

🔧 Temporary Workarounds

Disable plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate business-reviews-wp

Restrict user roles

all

Remove Subscriber role access or restrict user registration

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block directory traversal attempts
Restrict file permissions on web server to prevent PHP execution in upload directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for 'Widget for Google Reviews' version 1.0.15 or lower

Check Version:

wp plugin get business-reviews-wp --field=version

Verify Fix Applied:

Confirm plugin version is 1.0.16 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual file inclusion requests with '../' sequences in layout parameter
PHP file execution from unexpected directories

Network Indicators:

HTTP requests containing directory traversal sequences in URL parameters

SIEM Query:

web.url:*layout=*..%2F* OR web.url:*layout=*%2F..%2F*

📊 Metadata

CVE ID: CVE-2025-7327

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.48% exploit probability (64.7th percentile)

Published: July 8, 2025

Last Updated: July 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7327, you might also want to check these: