CVE-2025-10736 Overview
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress contains an improper authorization vulnerability in the userAccessibility() function. This security flaw allows unauthenticated attackers to bypass authorization checks and gain unauthorized access to protected REST API endpoints. Successful exploitation enables attackers to extract and modify sensitive information related to users and the plugin's configuration.
Critical Impact
Unauthenticated attackers can access protected REST API endpoints to extract and modify user information and plugin configuration data without any authentication.
Affected Products
- ReviewX – WooCommerce Product Reviews plugin for WordPress versions up to and including 2.2.10
- WordPress installations using vulnerable ReviewX plugin versions
Discovery Timeline
- 2026-03-23 - CVE CVE-2025-10736 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2025-10736
Vulnerability Analysis
This vulnerability is classified as CWE-285 (Improper Authorization), affecting the authentication middleware component of the ReviewX plugin. The flaw resides in the userAccessibility() function within the AuthMiddleware.php file, which fails to properly validate user permissions before granting access to REST API endpoints. This broken access control allows unauthenticated users to interact with API endpoints that should be restricted to authenticated and authorized users only.
The vulnerability can be exploited remotely over the network without requiring any user interaction or prior authentication. Successful exploitation allows attackers to read sensitive configuration data and potentially modify user-related information and plugin settings.
Root Cause
The root cause stems from improper authorization checks in the userAccessibility() function located in the AuthMiddleware.php file. The function does not adequately verify whether the requesting user has appropriate permissions before allowing access to protected REST API endpoints. This missing or inadequate authorization logic means that any unauthenticated request can potentially access endpoints intended only for privileged users.
Attack Vector
The attack vector is network-based, allowing remote exploitation without authentication. An attacker can craft malicious HTTP requests directly to the vulnerable REST API endpoints exposed by the ReviewX plugin. Since the userAccessibility() function fails to properly authorize requests, these crafted requests bypass the intended access controls. The attacker can enumerate available endpoints and systematically extract user data or modify plugin configurations.
The vulnerability is accessible through standard web requests to the WordPress REST API, making it trivial for attackers to exploit once the affected plugin version is identified on a target site. Technical details can be found in the WordPress AuthMiddleware Code Review and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-10736
Indicators of Compromise
- Unexpected or unauthorized REST API requests to ReviewX plugin endpoints from external IP addresses
- Unusual access patterns to /wp-json/reviewx/ API routes without valid authentication headers
- Configuration changes to the ReviewX plugin that were not made by administrators
- Log entries showing repeated requests to ReviewX REST endpoints from the same source
Detection Strategies
- Monitor WordPress access logs for suspicious requests targeting ReviewX REST API endpoints
- Implement Web Application Firewall (WAF) rules to detect and block unauthorized API access attempts
- Review WordPress audit logs for unexpected configuration changes to the ReviewX plugin
- Deploy intrusion detection systems (IDS) configured to alert on REST API abuse patterns
Monitoring Recommendations
- Enable detailed logging for WordPress REST API requests, particularly for the ReviewX plugin namespace
- Set up alerts for high volumes of requests to ReviewX API endpoints from unauthenticated sources
- Regularly audit user permissions and plugin configuration settings for unauthorized modifications
- Monitor for reconnaissance activity targeting WordPress plugin enumeration
How to Mitigate CVE-2025-10736
Immediate Actions Required
- Update the ReviewX plugin to a version newer than 2.2.10 immediately
- Review plugin configuration and user data for signs of unauthorized access or modification
- Temporarily disable the ReviewX plugin if an update is not immediately available
- Audit access logs for evidence of exploitation attempts
Patch Information
Website administrators should update the ReviewX plugin to the latest available version that addresses this vulnerability. Check the official WordPress plugin repository for the most recent security release. Before updating, ensure you have a complete backup of your WordPress installation and database.
For detailed information about the vulnerability, refer to the Wordfence Vulnerability Report.
Workarounds
- Restrict access to the WordPress REST API at the server level using .htaccess or nginx configuration rules for the ReviewX endpoints
- Implement additional authentication layers through security plugins that enforce REST API access controls
- Use a Web Application Firewall (WAF) to block unauthorized requests to vulnerable endpoints
- Disable the ReviewX plugin entirely until a patched version can be deployed
# Example .htaccess configuration to restrict ReviewX REST API access
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/reviewx/ [NC]
RewriteCond %{REMOTE_ADDR} !^(YOUR_TRUSTED_IP)$
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
