Skip to main content
CVE Vulnerability Database

CVE-2025-9899: Trust Reviews WordPress Plugin CSRF Flaw

CVE-2025-9899 is a Cross-Site Request Forgery vulnerability in the Trust Reviews plugin for WordPress that allows attackers to manipulate feed entries. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-9899 Overview

The Trust Reviews plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting all versions up to and including 1.0. The plugin aggregates reviews from platforms including Google, Tripadvisor, Yelp, and Airbnb. The vulnerability results from missing or incorrect nonce validation on the feed_save function. Unauthenticated attackers can create or modify feed entries by tricking a site administrator into clicking a crafted link or visiting an attacker-controlled page.

Critical Impact

Successful exploitation allows attackers to create or modify plugin feed entries in the context of an authenticated administrator, potentially altering displayed review content on affected WordPress sites.

Affected Products

  • Trust Reviews plugin for WordPress — all versions up to and including 1.0
  • WordPress sites integrating reviews from Google, Tripadvisor, Yelp, and Airbnb via the plugin
  • Administrator accounts on sites running the vulnerable plugin

Discovery Timeline

  • 2025-09-27 - CVE-2025-9899 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9899

Vulnerability Analysis

The Trust Reviews plugin exposes a feed_save handler that writes feed configuration data without verifying request authenticity. WordPress provides nonce tokens as its standard CSRF defense, requiring plugins to validate them through functions such as check_admin_referer or wp_verify_nonce. The plugin either omits this check or implements it incorrectly, so the server accepts any request that includes valid administrator session cookies. An attacker crafts an HTML page or link that submits a request to the WordPress admin endpoint. When a logged-in administrator visits the page, the browser attaches the session cookies and executes the state-changing action on behalf of the attacker.

Root Cause

The root cause is missing or incorrect nonce validation in the feed_save function within class-feed-serializer.php. Without a server-side check that a nonce token accompanies the request, the plugin cannot distinguish legitimate administrator actions from cross-origin forgeries. See the WordPress Trust Reviews Code for the affected source.

Attack Vector

Exploitation requires user interaction from an authenticated administrator. The attacker hosts a page containing a form or JavaScript that auto-submits a POST request to the target site's admin-ajax or admin-post endpoint invoking feed_save. The victim's browser sends the request with valid authentication cookies. The plugin processes the request as legitimate and stores or modifies the attacker-supplied feed data. Additional details are available in the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-9899

Indicators of Compromise

  • Unexpected creation or modification of Trust Reviews feed entries in the WordPress database, particularly in wp_options or plugin-specific tables
  • Administrator HTTP requests to feed_save endpoints originating from external Referer headers
  • Feed content pointing to unfamiliar external URLs or containing unexpected review sources

Detection Strategies

  • Review web server access logs for POST requests to admin-ajax.php or admin-post.php invoking feed_save with cross-origin Referer values
  • Monitor WordPress audit logs for feed configuration changes that do not correlate with administrator activity
  • Correlate administrator browser sessions with plugin configuration writes to identify forged submissions

Monitoring Recommendations

  • Enable a WordPress activity logging plugin to capture plugin option changes with timestamps and originating user
  • Alert on HTTP requests to plugin admin endpoints when the Referer header is missing or points to an external domain
  • Track file integrity for the Trust Reviews plugin directory to detect tampering alongside configuration changes

How to Mitigate CVE-2025-9899

Immediate Actions Required

  • Deactivate the Trust Reviews plugin until a patched version is available and installed
  • Instruct administrators to log out of WordPress sessions when not actively managing the site
  • Restrict administrator access to trusted browsers and networks, and avoid clicking untrusted links while authenticated

Patch Information

At the time of publication, all versions up to and including 1.0 are affected. Administrators should monitor the Wordfence Vulnerability Report and the plugin's WordPress.org page for a fixed release, then update immediately once available.

Workarounds

  • Deploy a web application firewall rule that blocks POST requests to the plugin's admin endpoints when the Referer header is missing or off-site
  • Enforce Same-Site cookie attributes on WordPress authentication cookies to reduce cross-origin cookie transmission
  • Require administrators to use separate browser profiles or private windows for WordPress administration to limit session exposure
bash
# Example nginx rule to block cross-origin POSTs to the plugin endpoint
location = /wp-admin/admin-ajax.php {
    if ($request_method = POST) {
        if ($http_referer !~* "^https?://your-site\.example/") {
            return 403;
        }
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.