Description
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility() function in all versions up to, and including, 2.2.10. This makes it possible for unauthenticated attackers to access protected REST API endpoints, extract and modify information related to users and plugin's configuration
Published: 2026-03-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data exposure and manipulation via REST API endpoints
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the ReviewX plugin's authorization checks. An unauthenticated attacker can access protected REST API endpoints, allowing extraction and modification of user data and plugin settings. This unauthorized access compromises confidentiality and integrity by exposing private information and enabling configuration changes without permission. The weakness is an improper authorization (CWE‑285).

Affected Systems

Vulnerable versions of the ReviewX – Multi‑Criteria Reviews for WooCommerce plugin, distributed under the ReviewX vendor, up to and including 2.2.10, affect any WordPress site running these releases.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the lack of an EPSS rating or KEV listing reduces immediate visibility of real‑world exploitation. Nonetheless, exploitation is straightforward: an attacker can send crafted REST API requests without authentication to retrieve or alter data. Because no user credentials are required, any person with network access to the WordPress installation can potentially exploit this flaw, making it a significant risk for sites with exposed API endpoints.

Generated by OpenCVE AI on March 23, 2026 at 06:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ReviewX plugin to a version newer than 2.2.10 to fix the authorization flaw.
  • If upgrading immediately is not possible, block unauthenticated access to the plugin’s REST API endpoints using a firewall rule or HTTP authentication.
  • Review and audit the plugin’s configuration to ensure no sensitive data is exposed via its endpoints.
  • Monitor REST API logs for suspicious requests and enforce rate limiting where possible.

Generated by OpenCVE AI on March 23, 2026 at 06:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Reviewx
Reviewx reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress
Wordpress wordpress
Vendors & Products Reviewx
Reviewx reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress
Wordpress wordpress

Mon, 23 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility() function in all versions up to, and including, 2.2.10. This makes it possible for unauthenticated attackers to access protected REST API endpoints, extract and modify information related to users and plugin's configuration
Title ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.10 - Incorrect Authorization to Unauthenticated Information Exposure and Data Manipulation
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Reviewx Reviewx – Multi-criteria Reviews For Woocommerce With Google Reviews & Schema
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:17.350Z

Reserved: 2025-09-19T15:20:07.761Z

Link: CVE-2025-10736

cve-icon Vulnrichment

Updated: 2026-03-23T15:59:49.910Z

cve-icon NVD

Status : Deferred

Published: 2026-03-23T05:16:04.823

Modified: 2026-04-24T16:32:53.997

Link: CVE-2025-10736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:53Z

Weaknesses