Description
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the allReminderSettings function. This makes it possible for unauthenticated attackers to obtain authentication tokens and subsequently bypass admin restrictions to access and export sensitive data including order details, names, emails, addresses, phone numbers, and user information.
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Sensitive Information Exposure
Action: Patch Immediately
AI Analysis

Impact

The ReviewX WooCommerce plugin contains a flaw that lets unauthenticated users call the allReminderSettings function in versions up to 2.2.12. This call returns authentication tokens that bypass admin restrictions, enabling the attacker to export sensitive customer information such as order records, names, email addresses, shipping addresses, phone numbers, and other user data. Thus the vulnerability exposes confidential data that should be available only to privileged users.

Affected Systems

This vulnerability affects the ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema plugin on any WordPress site that has it installed in versions 2.2.12 or earlier. WordPress installations that rely on this plugin for product reviews or reminders are subject to the exposure, regardless of whether other plugins or themes are present.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, but because authentication is not required, an attacker can trigger the flaw simply by sending an HTTP request to the vulnerable REST endpoint. EPSS data is not available and the issue is not listed in the CISA KEV catalog, suggesting it may not yet be widely exploited; nevertheless the potential for large‑scale data leakage makes timely mitigation necessary.

Generated by OpenCVE AI on March 23, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ReviewX to version 2.2.13 or newer.
  • If an update is not available, disable the allReminderSettings REST endpoint or restrict it to authenticated users only.
  • Review export logs for suspicious activity and revoke any exposed authentication tokens.
  • Keep the WordPress core, plugins and themes updated to the latest releases.

Generated by OpenCVE AI on March 23, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Reviewx
Reviewx reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress
Wordpress wordpress
Vendors & Products Reviewx
Reviewx reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress
Wordpress wordpress

Mon, 23 Mar 2026 05:45:00 +0000

Type Values Removed Values Added
Description The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the allReminderSettings function. This makes it possible for unauthenticated attackers to obtain authentication tokens and subsequently bypass admin restrictions to access and export sensitive data including order details, names, emails, addresses, phone numbers, and user information.
Title ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.12 - Unauthenticated Sensitive Information Exposure to Data Export
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Reviewx Reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:48.942Z

Reserved: 2025-09-19T14:25:45.633Z

Link: CVE-2025-10731

cve-icon Vulnrichment

Updated: 2026-03-23T15:52:05.644Z

cve-icon NVD

Status : Deferred

Published: 2026-03-23T06:16:18.133

Modified: 2026-04-24T16:32:53.997

Link: CVE-2025-10731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:44Z

Weaknesses