Description
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versions up to, and including, 13.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Widgets for Google Reviews plugin for WordPress allows an authenticated user with contributor-level access to store malicious JavaScript via the plugin's trustindex shortcode. The flaw results from insufficient input sanitization and inadequate output escaping on user supplied attributes, enabling the injection of arbitrary scripts that execute when a page containing the shortcode is rendered. This constitutes a Stored Cross‑Site Scripting vulnerability (CWE‑79).

Affected Systems

Vulnerable versions of the widget range from the earliest release up through 13.2.1, affecting all WordPress sites that have not upgraded past that point. The plugin, produced by trustindex, is available from the WordPress Plugin Repository and commonly used to display Google Reviews.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. Because the flaw requires authentication and sufficient privileges, an attacker would first need to compromise a contributor or higher account or leverage a pre‑existing account, and then craft a malicious shortcode that is stored and later rendered to any visitor. Despite the low EPSS, the potential impact on any user who views affected pages warrants rapid patching; the vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 21, 2026 at 00:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Widgets for Google Reviews plugin to a fixed release (version 13.2.2 or newer).
  • Remove any instances of the trustindex shortcode from publicly exposed content until the update is applied or a temporary disable solution is in place.
  • Restrict contributor-level access to contributors who are known to require it or consider revoking contributor privileges that can edit content containing the shortcode.

Generated by OpenCVE AI on April 21, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Dec 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Trustindex
Trustindex widgets For Google Reviews
Wordpress
Wordpress wordpress
Vendors & Products Trustindex
Trustindex widgets For Google Reviews
Wordpress
Wordpress wordpress

Thu, 11 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versions up to, and including, 13.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Widgets for Google Reviews <= 13.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trustindex Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Trustindex Widgets For Google Reviews
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:53.757Z

Reserved: 2025-08-25T13:06:03.706Z

Link: CVE-2025-9436

cve-icon Vulnrichment

Updated: 2025-12-11T15:30:24.637Z

cve-icon NVD

Status : Deferred

Published: 2025-12-11T04:15:59.920

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses