Reviewx
Monthly
Reflected/stored Cross-Site Scripting in the ReviewX WordPress plugin (versions 2.3.10 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or page. The scope-changed CVSS 3.1 score of 7.1 (PR:N/UI:R) reflects that no authentication is required but a victim must be lured into triggering the payload. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a disclosed-but-not-yet-actively-exploited plugin flaw reported by Patchstack.
Authentication bypass in the ReviewX WordPress plugin versions 2.3.6 and earlier allows remote unauthenticated attackers to perform actions they should not be able to, leading to high-integrity impact on the affected site. The flaw is classified as CWE-288 (authentication bypass using an alternate path/channel) and was disclosed by Patchstack via the WordPress plugin vulnerability database. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.
Missing Authorization vulnerability in ReviewX ReviewX allows Exploiting Incorrectly Configured Access Control Security Levels.6.28. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ReviewX - Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewx_remove_guest_image. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
Broken Access Control vulnerability in ReviewX.6.21. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ReviewX allows Stored XSS.6.22. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rx_set_screen_options' function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 26.8%.
The 'rx_export_review' action in the ReviewX WordPress Plugin, is affected by an authenticated SQL injection vulnerability in the 'filterValue' and 'selectedColumns' parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Reflected/stored Cross-Site Scripting in the ReviewX WordPress plugin (versions 2.3.10 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or page. The scope-changed CVSS 3.1 score of 7.1 (PR:N/UI:R) reflects that no authentication is required but a victim must be lured into triggering the payload. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a disclosed-but-not-yet-actively-exploited plugin flaw reported by Patchstack.
Authentication bypass in the ReviewX WordPress plugin versions 2.3.6 and earlier allows remote unauthenticated attackers to perform actions they should not be able to, leading to high-integrity impact on the affected site. The flaw is classified as CWE-288 (authentication bypass using an alternate path/channel) and was disclosed by Patchstack via the WordPress plugin vulnerability database. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.
Missing Authorization vulnerability in ReviewX ReviewX allows Exploiting Incorrectly Configured Access Control Security Levels.6.28. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ReviewX - Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewx_remove_guest_image. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
Broken Access Control vulnerability in ReviewX.6.21. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ReviewX allows Stored XSS.6.22. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rx_set_screen_options' function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 26.8%.
The 'rx_export_review' action in the ReviewX WordPress Plugin, is affected by an authenticated SQL injection vulnerability in the 'filterValue' and 'selectedColumns' parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.