CVE-2025-7327 Overview
CVE-2025-7327 is a directory traversal vulnerability in the Widget for Google Reviews plugin for WordPress, developed by radiustheme. The flaw affects all versions up to and including 1.0.15 and stems from improper handling of the layout parameter. Authenticated attackers with Subscriber-level access or higher can include and execute arbitrary PHP files on the underlying server. The issue is tracked under [CWE-98] (Improper Control of Filename for Include/Require Statement in PHP Program) and represents a Local File Inclusion (LFI) condition.
Critical Impact
A low-privileged authenticated user can achieve remote code execution by including arbitrary PHP files, bypassing access controls and exposing sensitive data on affected WordPress sites.
Affected Products
- Radiustheme Widget for Google Reviews plugin for WordPress
- All versions up to and including 1.0.15
- WordPress sites permitting Subscriber-level registration with the plugin enabled
Discovery Timeline
- 2025-07-08 - CVE-2025-7327 published to the National Vulnerability Database (NVD)
- 2025-07-09 - Last updated in NVD database
Technical Details for CVE-2025-7327
Vulnerability Analysis
The Widget for Google Reviews plugin processes the layout parameter without validating or sanitizing the supplied value against an allow-list of expected layout templates. The parameter is passed into a PHP include or require statement, which interprets path traversal sequences such as ../ to resolve files outside the plugin's intended template directory. Because PHP executes any included file as code, an attacker who controls the path can force the server to execute arbitrary PHP. The vulnerability requires only Subscriber-level authentication, a role commonly granted by WordPress sites that allow public registration. Successful exploitation grants the attacker the privileges of the PHP process, typically enabling full site compromise, database access, and lateral movement.
Root Cause
The root cause is insufficient input validation on the layout parameter combined with its use in a dynamic file inclusion call. The plugin trusts user-supplied input to select a template file rather than mapping the parameter to a fixed set of valid template names. This is the canonical pattern described by [CWE-98].
Attack Vector
The attack is network-based and requires authentication at the Subscriber role or higher. An attacker authenticates to the target WordPress site, then issues a request that supplies a manipulated layout value pointing at a previously uploaded file (such as a polyglot image containing PHP) or another readable file on the filesystem. The included file is executed in the context of the web server. The EPSS score is 0.927% with a percentile of 76.411, indicating elevated exploitation likelihood relative to most CVEs.
No verified public proof-of-concept code is available at this time. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-7327
Indicators of Compromise
- Web server access logs containing requests with layout parameter values that include ../, ..\, URL-encoded traversal sequences (%2e%2e%2f), or absolute filesystem paths
- Unexpected PHP execution originating from the wp-content/uploads/ directory or other non-code paths
- New or modified PHP files in the plugin directory wp-content/plugins/business-reviews-wp/ outside of patch windows
- Subscriber-role accounts performing administrative-style requests or shortcode-rendering calls
Detection Strategies
- Inspect HTTP request bodies and query strings for the layout parameter and alert on values containing path separators or file extensions
- Monitor PHP file inclusion events using runtime application instrumentation or WordPress audit logging plugins
- Correlate authentication events for low-privilege accounts with subsequent file-write or include activity on the host
- Compare installed plugin versions against 1.0.15 and flag any host running an unpatched build
Monitoring Recommendations
- Forward WordPress, PHP-FPM, and web server logs to a centralized analytics platform for retention and correlation
- Alert on outbound network connections initiated by the web server process immediately after a layout parameter request
- Track creation of new administrator accounts or modifications to wp-config.php and .htaccess files
How to Mitigate CVE-2025-7327
Immediate Actions Required
- Update the Widget for Google Reviews plugin to a version newer than 1.0.15 that incorporates the upstream fix from the WordPress Changeset Update
- Audit all Subscriber and higher accounts for unfamiliar usernames, recent registrations, and unusual activity
- Scan the wp-content/uploads/ tree for files containing PHP tags or unexpected executable content
- Rotate WordPress administrative credentials, database passwords, and any API keys stored in wp-config.php
Patch Information
The vendor radiustheme addressed the issue in the plugin trunk via revision 3316262, replacing the unsafe inclusion logic for the layout parameter. Site operators should upgrade through the WordPress plugin dashboard or by deploying the fixed release manually. Confirm the installed version is greater than 1.0.15 after applying the update. See the Wordfence Vulnerability Report for vendor-confirmed fix details.
Workarounds
- Disable and remove the Widget for Google Reviews plugin until the patched version can be deployed
- Disable public user registration or restrict the default new-user role to a level below Subscriber where feasible
- Deploy a web application firewall rule that blocks requests containing ../, ..\, or encoded traversal sequences in the layout parameter
- Configure PHP open_basedir and disable_functions to constrain the files the web server can include and execute
# Example WAF rule (ModSecurity) blocking traversal in the layout parameter
SecRule ARGS:layout "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)" \
"id:1007327,phase:2,deny,status:403,log,\
msg:'CVE-2025-7327 Widget for Google Reviews LFI attempt'"
# Example PHP hardening in php.ini
open_basedir = /var/www/html:/tmp
disable_functions = exec,passthru,shell_exec,system,proc_open,popen
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

