CVE-2025-12510 Overview
The Widgets for Google Reviews plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability affecting all versions up to and including 13.2.4. The flaw stems from insufficient input sanitization and output escaping on Google Reviews data imported by the plugin. Unauthenticated attackers can inject arbitrary web scripts by submitting a malicious review to a Google Place connected to the vulnerable site. The injected payload executes when administrators or site visitors access the imported reviews. The vulnerability is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in the WordPress admin context, enabling session hijacking, administrative action abuse, and frontend visitor compromise.
Affected Products
- Widgets for Google Reviews plugin for WordPress, versions up to and including 13.2.4
- WordPress sites importing reviews via the trustindex-plugin integration
- Any WordPress installation connecting the plugin to attacker-reachable Google Places
Discovery Timeline
- 2025-12-06 - CVE-2025-12510 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-12510
Vulnerability Analysis
The vulnerability resides in the plugin's review import workflow within trustindex-plugin.class.php. When the plugin fetches reviews from the Google Places API, it stores the supplied reviewer-controlled fields without sufficient sanitization. The values are later rendered in the WordPress admin interface and potentially the public frontend without adequate output escaping. Because the attack vector flows through Google Reviews, the attacker does not need a WordPress account, credentials, or any direct interaction with the target site. The payload persists in the site's database once imported, making this a true stored XSS rather than a reflected variant.
Root Cause
The plugin trusts the structure and content of external Google Reviews data. Sanitization routines such as wp_kses_post() or esc_html() are not consistently applied to the reviewer name, review body, or related metadata before storage and rendering. Relevant sinks are documented at the WordPress Plugin Code Reference line 5907 and line 5932.
Attack Vector
An attacker posts a malicious review containing a JavaScript payload to a Google Place that the target WordPress site has connected to the plugin. When the site imports the review, the payload is stored. When an administrator opens the reviews interface or a visitor loads a page rendering the imported review, the script executes in their browser. Admin-context execution can lead to plugin installation, account creation, or full site takeover. See the Wordfence Vulnerability Report for additional technical context.
// No verified exploit code is publicly available.
// The payload path: malicious Google Review -> plugin import -> stored without escaping -> rendered in admin/frontend
Detection Methods for CVE-2025-12510
Indicators of Compromise
- Imported reviews containing HTML tags such as <script>, <img onerror=>, <svg onload=>, or javascript: URIs in reviewer name or review body fields
- Unexpected outbound requests from admin browser sessions to attacker-controlled domains shortly after viewing the reviews page
- New WordPress administrator accounts or plugin installations following access to the reviews admin screen
Detection Strategies
- Query the WordPress database for plugin-related options and post meta containing HTML or JavaScript syntax in fields sourced from Google Reviews
- Inspect server access logs for admin-panel sessions that subsequently triggered unexpected admin-ajax.php or REST API privileged actions
- Compare installed plugin versions against 13.2.4 and flag any host running an affected build
Monitoring Recommendations
- Monitor WordPress admin user activity, particularly account creation, role changes, and plugin or theme installations
- Enable Content Security Policy (CSP) reporting to surface inline script execution in the admin panel
- Track changes to imported review records and alert on stored values containing angle brackets or event handler attributes
How to Mitigate CVE-2025-12510
Immediate Actions Required
- Update the Widgets for Google Reviews plugin to a version above 13.2.4 as released in the patched build referenced in the WordPress Plugin Change Log
- Audit existing imported reviews for embedded HTML or script content and purge any malicious entries
- Rotate administrator session cookies and credentials if the reviews admin page was accessed while running a vulnerable version
Patch Information
The vendor addressed the issue in the changeset referenced above, which adds sanitization and output escaping to the affected review-rendering paths in trustindex-plugin.class.php. Site operators should apply the update through the WordPress plugin manager and verify the installed version is greater than 13.2.4.
Workarounds
- Disable or uninstall the Widgets for Google Reviews plugin until the update can be applied
- Disconnect the plugin from any Google Place that accepts public reviews to prevent further import of attacker-controlled data
- Apply a strict Content Security Policy that disallows inline scripts in the WordPress admin interface to limit payload execution
# Verify the installed plugin version on a WordPress host using WP-CLI
wp plugin get wp-reviews-plugin-for-google --field=version
# Update to the patched release
wp plugin update wp-reviews-plugin-for-google
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
