Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Network-accessible admin panel; AC:H for mandatory non-default deployment conditions; PR:H for required editor role; UI:R corrected from provided vector since a victim must visit the injected page for script execution; scope change and limited C/I impact preserved.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
AnalysisAI
Stored Cross-Site Scripting in the Widgets for Google Reviews WordPress plugin (versions ≤ 13.3) enables authenticated attackers holding editor-level WordPress roles to inject persistent JavaScript through admin settings, which then executes in any site visitor's browser on pages rendering the compromised widget. Exploitation is gated by two environmental prerequisites - multi-site WordPress deployments or single-site installs where unfiltered_html has been explicitly disabled - substantially narrowing the attack surface despite the network-accessible entry point. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two explicit prerequisites must both be satisfied: (1) The attacker must hold an authenticated WordPress account with editor-level permissions or higher - unauthenticated users and lower-privileged roles (Subscriber, Contributor, Author) cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 4.4 (Medium) with vector AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N signals limited real-world priority for most deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with an editor account on a WordPress multi-site network navigates to the Widgets for Google Reviews plugin settings and injects a JavaScript payload (e.g., a cookie-stealing script) into a widget configuration field such as the free widget configurator. The payload is saved to the database; any site visitor - including administrators - who subsequently loads a page containing that Google Reviews widget has the script silently execute in their browser, potentially exfiltrating session tokens or credentials to an attacker-controlled endpoint. … |
| Remediation | Update the Widgets for Google Reviews plugin to the version released after changeset 3584904 in the WordPress plugin repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3584904%40wp-reviews-plugin-for-google&new=3584904%40wp-reviews-plugin-for-google); an exact patched release number is not independently confirmed from available data, so verify the current version in the WordPress.org plugin directory changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Widgets For Google Reviews
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43155
GHSA-qc9w-x5m9-8667