Epic Review CVE-2025-53573
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme Epic Review epic-review allows Reflected XSS.This issue affects Epic Review: from n/a through <= 1.0.2.
AnalysisAI
Reflected cross-site scripting (XSS) in Epic Review WordPress plugin through version 1.0.2 allows remote attackers to execute malicious JavaScript in victim browsers when users click specially crafted links. The vulnerability stems from improper neutralization of user input during HTML generation. EPSS exploitation probability is low (0.07%, 21st percentile) with no public exploit code or active exploitation confirmed at time of analysis. WordPress site administrators should upgrade immediately as the network attack vector (AV:N) and changed scope (S:C) enable attacks across site boundaries.
Technical ContextAI
Epic Review is a WordPress plugin by jegtheme for managing and displaying customer reviews. This vulnerability is a classic reflected XSS (CWE-79) where user-supplied input (likely via GET/POST parameters or URL fragments) is echoed back into HTML responses without proper sanitization or output encoding. The reflected nature means the malicious payload is not stored server-side but delivered via malicious links. WordPress plugins frequently suffer from XSS when developers fail to use WordPress security functions like esc_html(), esc_attr(), or wp_kses() when rendering user-controllable data. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component itself, typical when JavaScript execution breaks out of the plugin's context to access cookies, session tokens, or perform actions as the victim user across the WordPress installation.
Affected ProductsAI
The vulnerability affects Epic Review WordPress plugin by jegtheme, all versions from the initial release through version 1.0.2 inclusive. The advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/epic-review/vulnerability/wordpress-epic-review-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve) provides the canonical vulnerability details. WordPress installations using Epic Review plugin versions 1.0.2 or earlier are vulnerable. The plugin identifier suggests it is distributed through the WordPress plugin repository or third-party channels as a review management solution.
RemediationAI
Upgrade Epic Review plugin to version 1.0.3 or later if available, checking the vendor's official distribution channel or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/epic-review/vulnerability/wordpress-epic-review-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve for the confirmed patched version. If a patch is not yet released, implement compensating controls: disable the Epic Review plugin entirely until a fix is available (WordPress admin dashboard → Plugins → Deactivate epic-review), with the trade-off being loss of review display functionality. Alternatively, restrict plugin access by implementing web application firewall (WAF) rules to filter common XSS patterns in query parameters specific to Epic Review endpoints, though this provides only partial protection as attack payloads can vary. Deploy Content Security Policy (CSP) headers with strict script-src directives to limit execution of inline JavaScript, noting this may break legitimate plugin functionality if Epic Review uses inline scripts. Educate WordPress administrators and content editors about not clicking untrusted links while logged into WordPress, particularly links containing Epic Review plugin parameters.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today