Skip to main content

Reviewx

8 CVEs product

Monthly

CVE-2026-57359 HIGH This Week

Reflected/stored Cross-Site Scripting in the ReviewX WordPress plugin (versions 2.3.10 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or page. The scope-changed CVSS 3.1 score of 7.1 (PR:N/UI:R) reflects that no authentication is required but a victim must be lured into triggering the payload. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a disclosed-but-not-yet-actively-exploited plugin flaw reported by Patchstack.

XSS Reviewx
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40781 HIGH This Week

Authentication bypass in the ReviewX WordPress plugin versions 2.3.6 and earlier allows remote unauthenticated attackers to perform actions they should not be able to, leading to high-integrity impact on the affected site. The flaw is classified as CWE-288 (authentication bypass using an alternate path/channel) and was disclosed by Patchstack via the WordPress plugin vulnerability database. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.

Information Disclosure Reviewx
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-43323 CRITICAL Act Now

Missing Authorization vulnerability in ReviewX ReviewX allows Exploiting Incorrectly Configured Access Control Security Levels.6.28. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Reviewx
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-3609 MEDIUM PATCH This Month

The ReviewX - Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewx_remove_guest_image. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Reviewx
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-33921 MEDIUM This Month

Broken Access Control vulnerability in ReviewX.6.21. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Reviewx
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-29812 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ReviewX allows Stored XSS.6.22. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Reviewx
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2023-2833 HIGH POC THREAT Act Now

The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rx_set_screen_options' function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 26.8%.

WordPress Privilege Escalation Reviewx
NVD VulDB
CVSS 3.1
8.8
EPSS
26.8%
Threat
4.1
CVE-2023-26325 HIGH POC This Week

The 'rx_export_review' action in the ReviewX WordPress Plugin, is affected by an authenticated SQL injection vulnerability in the 'filterValue' and 'selectedColumns' parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Reviewx
NVD
CVSS 3.1
8.8
EPSS
0.9%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored Cross-Site Scripting in the ReviewX WordPress plugin (versions 2.3.10 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or page. The scope-changed CVSS 3.1 score of 7.1 (PR:N/UI:R) reflects that no authentication is required but a victim must be lured into triggering the payload. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a disclosed-but-not-yet-actively-exploited plugin flaw reported by Patchstack.

XSS Reviewx
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Authentication bypass in the ReviewX WordPress plugin versions 2.3.6 and earlier allows remote unauthenticated attackers to perform actions they should not be able to, leading to high-integrity impact on the affected site. The flaw is classified as CWE-288 (authentication bypass using an alternate path/channel) and was disclosed by Patchstack via the WordPress plugin vulnerability database. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.

Information Disclosure Reviewx
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Missing Authorization vulnerability in ReviewX ReviewX allows Exploiting Incorrectly Configured Access Control Security Levels.6.28. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Reviewx
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The ReviewX - Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewx_remove_guest_image. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Reviewx
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken Access Control vulnerability in ReviewX.6.21. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Reviewx
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ReviewX allows Stored XSS.6.22. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Reviewx
NVD
EPSS 27% 4.1 CVSS 8.8
HIGH POC THREAT Act Now

The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rx_set_screen_options' function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 26.8%.

WordPress Privilege Escalation Reviewx
NVD VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

The 'rx_export_review' action in the ReviewX WordPress Plugin, is affected by an authenticated SQL injection vulnerability in the 'filterValue' and 'selectedColumns' parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Reviewx
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy