[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBnNILwFctKkmqEhMhDDEtUPCzk4yln72CCHw-psji1o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2025-10734","reviewx-woocommerce-product-reviews-with-multi-criteria-reminder-emails-google-reviews-schema-more-unauthenticated-sensi-2","ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More \u003C= 2.2.12 - Unauthenticated Sensitive Information Exposure","The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the syncedData function. This makes it possible for unauthenticated attackers to extract sensitive data including user names, emails, phone numbers, addresses.","reviewx",null,"\u003C=2.2.12","2.3.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Insecure Storage of Sensitive Information","2026-03-22 16:26:54","2026-03-23 05:29:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Feb830ad3-50ba-4dfe-becb-351b227706c1?source=api-prod",1,[22,23,24,25,26,27,28,29],"README.txt","app\u002FApi\u002FBaseApi.php","app\u002FApi\u002FWpApi.php","app\u002FCPT\u002FCommentsRatingColumn.php","app\u002FCPT\u002FCptAverageRating.php","app\u002FCPT\u002FCptCommentsLinkMeta.php","app\u002FCPT\u002FCptReviewAddReply.php","app\u002FHandlers\u002FIsAlreadySyncSucess.php","researched",false,3,"This plan outlines the research and exploitation strategy for **CVE-2025-10734**, a sensitive information exposure vulnerability in the **ReviewX** plugin (\u003C= 2.2.12).\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the `syncedData` function, which is exposed via the plugin's REST API. Due to a lack of authentication and authorization checks, any user (unauthenticated) can call this endpoint. The function is designed to facilitate data synchronization between the WordPress site and the ReviewX SaaS platform (`reviewx.io`). It retrieves and returns detailed information about product reviews, including sensitive Personal Identifiable Information (PII) of the reviewers such as full names, email addresses, and potentially phone numbers or addresses linked to WooCommerce orders.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Inferred to be a REST API route under the `reviewx\u002Fv1` namespace (likely `\u002Fwp-json\u002Freviewx\u002Fv1\u002Fsynced-data` or `\u002Fwp-json\u002Freviewx\u002Fv1\u002Fsync`).\n*   **HTTP Method:** `GET` (most likely for data extraction).\n*   **Authentication:** None required (`PR:N`).\n*   **Preconditions:** The plugin must be active. For the data to be \"sensitive,\" there must be existing reviews in the system.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers a REST route during the `rest_api_init` hook.\n2.  **Route Mapping:** The route (e.g., `synced-data`) is mapped to a callback method named `syncedData` within a REST controller class.\n3.  **Missing Permission Check:** The `register_rest_route` call likely lacks a `permission_callback` or uses `__return_true`, allowing unauthenticated access.\n4.  **Data Retrieval:** The `syncedData` function queries the `wp_comments` and `wp_commentmeta` tables (and possibly `wp_posts` for WooCommerce order data).\n5.  **Sink:** The function returns a `WP_REST_Response` containing a JSON array of reviewer details:\n    *   `comment_author` (User Name)\n    *   `comment_author_email` (Email)\n    *   WooCommerce billing data (Phone\u002FAddress) if the review is verified\u002Flinked to an order.\n\n### 4. Nonce Acquisition Strategy\nBased on the \"Unauthenticated\" nature of this vulnerability and the likely purpose of the endpoint (SaaS synchronization), it is highly probable that **no WordPress nonce is required**. \n\nHowever, if a nonce is required for the REST API (`wp_rest`), it can be obtained as follows:\n1.  **Identify Shortcode:** ReviewX commonly uses the `[reviewx_pagination]` or `[reviewx_reviews]` shortcodes.\n2.  **Setup Page:** Create a public page containing one of these shortcodes.\n3.  **Extract Nonce:**\n    *   Navigate to the page using `browser_navigate`.\n    *   Execute `browser_eval(\"window.rvx_params?.nonce\")` or `browser_eval(\"window.rvx_params?.rest_nonce\")`.\n    *   The localization key is often `rvx_params` or `reviewx_data`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Identify the Endpoint\nQuery the WordPress REST API index to find the exact ReviewX route mapping.\n*   **Action:** `http_request`\n*   **Method:** `GET`\n*   **URL:** `\u002Fwp-json\u002Freviewx\u002Fv1`\n*   **Goal:** Look for routes containing \"sync\" or \"data\" and identify the callback associated with `syncedData`.\n\n#### Step 2: Populate Target Data\nTo confirm exposure, the environment must contain reviews with PII.\n*   **Action:** Use WP-CLI to create a WooCommerce product and multiple reviews.\n    ```bash\n    wp eval \"\n    \\$product_id = wc_create_product(['name' => 'Vulnerable Product']);\n    wp_insert_comment([\n        'comment_post_ID' => \\$product_id,\n        'comment_author' => 'John Doe',\n        'comment_author_email' => 'john.doe@example.com',\n        'comment_content' => 'Great product!',\n        'comment_type' => 'review',\n        'comment_approved' => 1\n    ]);\n    \"\n    ```\n\n#### Step 3: Execute Data Extraction\nPerform the unauthenticated request to the identified endpoint.\n*   **Action:** `http_request`\n*   **Method:** `GET`\n*   **URL:** `\u002Fwp-json\u002Freviewx\u002Fv1\u002Fsynced-data` (or the route found in Step 1).\n*   **Headers:** `Accept: application\u002Fjson`\n\n#### Step 4: Verify PII in Response\nCheck the JSON response for the email `john.doe@example.com` and the name `John Doe`.\n\n### 6. Test Data Setup\n1.  **Plugin Status:** Ensure `reviewx` version 2.2.12 is installed and active.\n2.  **WooCommerce:** WooCommerce must be active as ReviewX depends on it.\n3.  **Reviews:** \n    *   Create a \"Guest\" review (author name\u002Femail).\n    *   Create a \"Customer\" review (linked to a WP User).\n    *   (Optional) Use WP-CLI to add meta keys like `_billing_phone` to the user to see if the `syncedData` function pulls extended profile data.\n\n### 7. Expected Results\n*   **Vulnerable Response:** A `200 OK` status with a JSON body containing an array of review objects. Each object includes cleartext `comment_author_email` and `comment_author`.\n*   **Example Payload Snippet:**\n    ```json\n    [\n      {\n        \"wp_id\": 123,\n        \"reviewer_name\": \"John Doe\",\n        \"reviewer_email\": \"john.doe@example.com\",\n        \"feedback\": \"Great product!\",\n        \"rating\": 5\n      }\n    ]\n    ```\n\n### 8. Verification Steps\n1.  **Check Output:** Verify that the email and name in the HTTP response match the data created in the \"Test Data Setup\" step.\n2.  **Verify Unauthenticated Status:** Perform the request without any cookies or `Authorization` headers to confirm the \"Unauthenticated\" claim.\n3.  **Confirm Version:** Use `wp plugin get reviewx --field=version` to ensure the test was performed on \u003C= 2.2.12.\n\n### 9. Alternative Approaches\nIf `\u002Fsynced-data` is not the route:\n1.  **Route Discovery:** Iterate through all routes returned by `\u002Fwp-json\u002Freviewx\u002Fv1`.\n2.  **Parameter Fuzzing:** Some sync functions require a `last_sync_id` or `timestamp`. Try `?since=0` or `?page=1` if the initial request returns an empty array.\n3.  **Check Admin-Ajax:** ReviewX also registers many `wp_ajax_nopriv_` actions. Search the codebase for `add_action('wp_ajax_nopriv_` to see if `syncedData` is also exposed via AJAX.\n    *   Target: `\u002Fwp-admin\u002Fadmin-ajax.php?action=rvx_get_synced_data` (inferred).","The ReviewX plugin for WordPress (\u003C= 2.2.12) is vulnerable to unauthenticated sensitive information exposure through its data synchronization REST API endpoint. The `syncedData` function lacks proper authentication and authorization checks, allowing any user to retrieve reviewer PII, including names, email addresses, and WooCommerce billing details.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FBaseApi.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.3.0\u002Fapp\u002FApi\u002FBaseApi.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FBaseApi.php\t2025-10-15 13:32:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.3.0\u002Fapp\u002FApi\u002FBaseApi.php\t2025-12-22 12:17:34.000000000 +0000\n@@ -35,6 +35,6 @@\n      *\u002F\n     public function getDefaultHeaders() : array\n     {\n-        return ['Authorization' => 'Bearer ' . Helper::getAuthToken(), 'X-Auth-Token' => 'Bearer ' . Helper::getAuthToken(), 'Accept' => 'application\u002Fjson', 'X-Domain' => Helper::getWpDomainNameOnly(), 'X-Theme' => wp_get_theme()->get('Name'), 'X-Site-Locale' => get_locale(), 'X-Request-Id' => \\sha1(\\time() . Client::getUid()), 'X-Wp-Version' => get_bloginfo(\"version\"), 'X-Reviewx-Version' => RVX_VERSION, 'X-Environment' => Helper::plugin()->isProduction() ? 'production' : 'development'];\n+        return ['Accept' => 'application\u002Fjson', 'Authorization' => 'Bearer ' . Helper::getAuthToken(), 'X-Domain' => Helper::getWpDomainNameOnly(), 'X-Theme' => wp_get_theme()->get('Name'), 'X-Site-Locale' => get_locale(), 'X-Request-Id' => \\sha1(\\time() . Client::getUid()), 'X-Wp-Version' => get_bloginfo(\"version\"), 'X-Reviewx-Version' => RVX_VERSION, 'X-Environment' => Helper::plugin()->isProduction() ? 'production' : 'development'];\n     }\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FWpApi.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.3.0\u002Fapp\u002FApi\u002FWpApi.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FWpApi.php\t2025-10-15 13:32:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.3.0\u002Fapp\u002FApi\u002FWpApi.php\t2025-12-22 12:17:34.000000000 +0000\n@@ -72,7 +72,6 @@\n         $headers = ['Content-Type' => 'application\u002Fjson'];\n         if ($this->token) {\n             $headers['Authorization'] = 'Bearer ' . $this->token;\n-            $headers['X-Auth-Token'] = 'Bearer ' . $this->token;\n         }\n         return $headers;\n     }\n... (truncated)","1. Query the WordPress REST API index to identify the ReviewX route mapping, typically located under the '\u002Fwp-json\u002Freviewx\u002Fv1' namespace.\n2. Locate the endpoint associated with the 'syncedData' function (e.g., '\u002Fwp-json\u002Freviewx\u002Fv1\u002Fsynced-data' or '\u002Fwp-json\u002Freviewx\u002Fv1\u002Fsync').\n3. Execute an unauthenticated GET request to the identified endpoint. No WordPress nonces or authorization headers are required.\n4. Analyze the JSON response, which returns an array of review data objects containing sensitive fields like 'comment_author' (name), 'comment_author_email', and linked WooCommerce billing information (phone and address) for verified customers.","gemini-3-flash-preview","2026-04-18 00:19:51","2026-04-18 00:20:19",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.2.12","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags\u002F2.2.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freviewx.2.2.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags\u002F2.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freviewx.2.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags"]