The Widgets for Google Reviews plugin for WordPress is affected by a stored cross‑site scripting flaw caused by insufficient input sanitization and output escaping of imported Google Reviews data. An unauthenticated attacker who can add a malicious review to a Google Place linked to the vulnerable site can supply arbitrary JavaScript that is later rendered by the plugin in the admin panel and, potentially, on the public front‑end whenever a opens the imported review. The injected script runs with the privileges of the page context, enabling session hijacking, data theft, defacement, or further exploitation of the site.

The vulnerability impacts the WordPress plugin Widgets for Google Reviews, any installation of which uses version 13.2.4 or earlier. All affected systems run this plugin on a WordPress site and have the plugin configured to import reviews from Google Places.

The CVSS score of 7.2 reflects a high severity, while the EPSS score of less than 1% indicates a low exploitation probability at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker can exploit the weakness without authentication by creating a malicious review on a connected Google Place; the script is stored by the plugin and executed whenever the review is displayed, potentially affecting any visitor or administrator who views the review. Because the remediation is a simple update, the risk decreases once the patch is applied, but until then the ability to run arbitrary client‑side code remains.