CVE-2025-10734 Overview
CVE-2025-10734 is a Sensitive Information Exposure vulnerability affecting the ReviewX – WooCommerce Product Reviews plugin for WordPress. The vulnerability exists in all versions up to and including 2.2.12 and allows unauthenticated attackers to extract sensitive user data through the syncedData function. This flaw enables malicious actors to harvest personally identifiable information (PII) including user names, email addresses, phone numbers, and physical addresses without requiring any authentication.
Critical Impact
Unauthenticated attackers can remotely extract sensitive customer PII from WordPress/WooCommerce sites, potentially leading to identity theft, phishing campaigns, and privacy violations affecting site users.
Affected Products
- ReviewX – WooCommerce Product Reviews plugin versions up to and including 2.2.12
- WordPress sites running vulnerable ReviewX plugin versions
- WooCommerce stores utilizing ReviewX for product reviews
Discovery Timeline
- 2026-03-23 - CVE-2025-10734 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2025-10734
Vulnerability Analysis
This vulnerability is classified under CWE-922 (Insecure Storage of Sensitive Information). The flaw resides in the DataSyncController.php file within the ReviewX plugin's REST API implementation. The syncedData function fails to implement proper authentication checks before returning sensitive user information, allowing any remote attacker to access customer data without credentials.
The vulnerability is network-accessible and requires no user interaction or special privileges to exploit. An attacker can craft HTTP requests to the vulnerable endpoint and receive responses containing sensitive customer information that should only be accessible to authenticated administrators.
Root Cause
The root cause stems from inadequate access control implementation in the REST API controller. The syncedData function in DataSyncController.php does not verify whether the requesting user has appropriate permissions before processing data sync requests. This missing authorization check allows unauthenticated users to invoke functionality intended only for authorized administrators, resulting in unauthorized exposure of stored customer information.
Attack Vector
The attack vector is network-based, requiring only HTTP access to a vulnerable WordPress installation. An attacker can exploit this vulnerability by sending crafted requests to the plugin's REST API endpoint handling the syncedData function. Since no authentication is required, the attacker can be completely anonymous and needs no prior access to the target system.
The vulnerable endpoint can be discovered through standard WordPress REST API enumeration techniques. Once identified, the attacker simply needs to invoke the function to retrieve sensitive user data. The information disclosure includes customer names, email addresses, phone numbers, and physical addresses—data that could be leveraged for subsequent phishing attacks, identity theft, or sold on underground markets.
For technical details on the vulnerable code path, refer to the WordPress Plugin Source Code and the Wordfence Threat Intelligence Report.
Detection Methods for CVE-2025-10734
Indicators of Compromise
- Unusual REST API requests targeting ReviewX plugin endpoints, particularly the data sync functionality
- Multiple requests to /wp-json/ endpoints associated with ReviewX from unknown or suspicious IP addresses
- Unexpected spikes in API traffic patterns targeting WordPress REST endpoints
- Log entries showing unauthenticated access attempts to ReviewX data synchronization functions
Detection Strategies
- Monitor WordPress access logs for requests to ReviewX REST API endpoints without valid authentication tokens
- Implement Web Application Firewall (WAF) rules to detect and block suspicious patterns targeting the syncedData endpoint
- Review server logs for high-frequency requests to plugin-specific API routes from single IP addresses
- Deploy SentinelOne Singularity XDR to detect anomalous web application behavior and unauthorized data access patterns
Monitoring Recommendations
- Enable detailed logging for WordPress REST API calls and regularly audit access patterns
- Set up alerts for unauthenticated requests to sensitive plugin endpoints
- Implement rate limiting on REST API endpoints to mitigate automated data harvesting attempts
- Use SentinelOne's application control features to monitor web application behavior and detect exploitation attempts
How to Mitigate CVE-2025-10734
Immediate Actions Required
- Update the ReviewX plugin to a version newer than 2.2.12 immediately if a patched version is available
- Temporarily disable the ReviewX plugin if an update is not yet available
- Review access logs for signs of prior exploitation and potential data breach
- Notify affected customers if evidence suggests their data may have been compromised
Patch Information
Organizations should update the ReviewX – WooCommerce Product Reviews plugin to the latest available version that addresses this vulnerability. Check the WordPress plugin repository for security updates and consult the Wordfence Threat Intelligence Report for the latest patching guidance.
Workarounds
- Disable the ReviewX plugin entirely until a security patch is applied
- Implement WAF rules to block unauthenticated access to ReviewX REST API endpoints
- Restrict access to WordPress REST API endpoints at the web server level using IP allowlisting for trusted sources only
- Consider implementing additional authentication layers at the reverse proxy or load balancer level
# Example: Block access to ReviewX REST endpoints via .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*wp-json/reviewx/.* [NC]
RewriteCond %{HTTP:Authorization} ^$
RewriteRule ^(.*)$ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
