Description
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the syncedData function. This makes it possible for unauthenticated attackers to extract sensitive data including user names, emails, phone numbers, addresses.
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Immediate Patch
AI Analysis

Impact

The ReviewX — WooCommerce Product Reviews plugin is vulnerable to sensitive information exposure in all versions up to and including 2.2.12 through its syncedData function. This flaw allows unauthenticated users to retrieve personal data such as user names, email addresses, phone numbers, and mailing addresses, exposing confidential customer information and increasing the risk of privacy violations or phishing attacks. The weakness is classified as CWE‑922, reflecting improper handling of sensitive data.

Affected Systems

Any WordPress site running the ReviewX plugin version 2.2.12 or earlier is impacted. The vulnerability resides in the plugin’s REST controller that synchronizes review data; therefore, WooCommerce sites that rely on this plugin for product reviews must review their plugin version and configuration. Versions newer than 2.2.12 are assumed to have addressed the flaw, although the exact revision is not specified.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available, and the vulnerability is not cataloged in CISA’s KEV list, suggesting no large‑scale exploitation reports yet. The attack vector is inferred to be public and unauthenticated: an attacker only needs to access the syncedData endpoint from outside the site. No credentials or further privileges are required, making exploitation straightforward for anyone with internet access.

Generated by OpenCVE AI on March 23, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ReviewX plugin to a version newer than 2.2.12 if one is available.
  • If an update cannot be applied immediately, restrict access to the syncedData endpoint by disabling it in the plugin settings or blocking the endpoint with a web‑application firewall.
  • Verify that the endpoint no longer returns sensitive data by testing from an external network or performing a security scan.
  • Monitor WordPress logs and web traffic for unexpected requests to the syncedData endpoint and review logs for signs of data exfiltration.

Generated by OpenCVE AI on March 23, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Reviewx
Reviewx reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress
Wordpress wordpress
Vendors & Products Reviewx
Reviewx reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress
Wordpress wordpress

Mon, 23 Mar 2026 05:45:00 +0000

Type Values Removed Values Added
Description The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the syncedData function. This makes it possible for unauthenticated attackers to extract sensitive data including user names, emails, phone numbers, addresses.
Title ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.12 - Unauthenticated Sensitive Information Exposure
Weaknesses CWE-922
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Reviewx Reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:13.762Z

Reserved: 2025-09-19T14:55:16.957Z

Link: CVE-2025-10734

cve-icon Vulnrichment

Updated: 2026-03-23T15:17:51.310Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T06:16:18.307

Modified: 2026-03-23T14:31:37.267

Link: CVE-2025-10734

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:41Z

Weaknesses