Skip to main content

Reviews Widgets For Google Tripadvisor Yelp Recommendations

1 CVEs product

Monthly

CVE-2026-12154 MEDIUM This Month

Stored Cross-Site Scripting in the Reviews Widgets for Google, Yelp & TripAdvisor WordPress plugin (versions up to and including 2.7.3) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages by abusing the 'page_id' attribute of the [fbrev] shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or further exploitation within the victim's browser context. No public exploit code has been identified at time of analysis, and no KEV listing is present, but the contributor-level access bar is low in multi-author WordPress deployments.

WordPress XSS Google Reviews Widgets For Google Tripadvisor Yelp Recommendations
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Reviews Widgets for Google, Yelp & TripAdvisor WordPress plugin (versions up to and including 2.7.3) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages by abusing the 'page_id' attribute of the [fbrev] shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or further exploitation within the victim's browser context. No public exploit code has been identified at time of analysis, and no KEV listing is present, but the contributor-level access bar is low in multi-author WordPress deployments.

WordPress XSS Google +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy