Description
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to arbitrary method calls in all versions up to, and including, 2.2.12. This is due to insufficient input validation in the bulkTenReviews function that allows user-controlled data to be passed directly to a variable function call mechanism. This makes it possible for unauthenticated attackers to call arbitrary PHP class methods that take no inputs or have default values, potentially leading to information disclosure or remote code execution depending on available methods and server configuration.
Published: 2026-03-23
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via unauthenticated function calls
Action: Patch Immediately
AI Analysis

Impact

The ReviewX WordPress plugin contains a flaw in its bulkTenReviews function where user input is passed directly to a PHP variable function call. Because no validation is performed, an attacker can supply a function name and cause the plugin to execute that method. The method must have no required parameters or use defaults, but many PHP class methods satisfy that, enabling an attacker to read sensitive data or run arbitrary code. This weakness corresponds to CWE‑94, which concerns code that executes a function based on tainted input.

Affected Systems

WordPress sites running the ReviewX – WooCommerce Product Reviews with Multi‑Criteria plugin, version 2.2.12 or earlier, are affected. The plugin adds multi‑criteria review features, reminder emails, Google Reviews integration, and Schema markup to WooCommerce stores. Any WooCommerce installation that has not upgraded beyond 2.2.12 remains exposed to this vulnerability.

Risk and Exploitability

The CVSS base score of 7.3 indicates a high severity level. Though no EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, the lack of authentication makes it attractive to attackers. The likely attack vector is an unauthenticated HTTP request to the plugin’s REST API endpoint, where the attacker specifies the function name to be invoked. Successful exploitation would grant the attacker the privileges of the PHP process on the server, potentially allowing remote code execution or information disclosure. Because ReviewX is widely used in WooCommerce stores, the impact can range from local data exposure to full system compromise.

Generated by OpenCVE AI on March 23, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ReviewX to the latest version available, ensuring the bulkTenReviews function is fixed.
  • If an immediate update is not possible, completely deactivate or uninstall the ReviewX plugin to remove the vulnerable functionality.
  • If the plugin must remain in use, restrict access to its REST API endpoints so that only authenticated and authorized users can invoke them, or block the endpoints at the network firewall level.

Generated by OpenCVE AI on March 23, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Reviewx
Reviewx reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress
Wordpress wordpress
Vendors & Products Reviewx
Reviewx reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress
Wordpress wordpress

Mon, 23 Mar 2026 05:45:00 +0000

Type Values Removed Values Added
Description The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to arbitrary method calls in all versions up to, and including, 2.2.12. This is due to insufficient input validation in the bulkTenReviews function that allows user-controlled data to be passed directly to a variable function call mechanism. This makes it possible for unauthenticated attackers to call arbitrary PHP class methods that take no inputs or have default values, potentially leading to information disclosure or remote code execution depending on available methods and server configuration.
Title ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.12 - Unauthenticated Limited Remote Code Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Reviewx Reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:25.788Z

Reserved: 2025-09-18T08:54:40.666Z

Link: CVE-2025-10679

cve-icon Vulnrichment

Updated: 2026-03-25T13:58:04.591Z

cve-icon NVD

Status : Deferred

Published: 2026-03-23T06:16:17.797

Modified: 2026-04-24T16:32:53.997

Link: CVE-2025-10679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:43Z

Weaknesses