CVE-2025-10679 is a code injection vulnerability classified under CWE-94, affecting the ReviewX – Multi-Criteria Reviews for WooCommerce plugin for WordPress, specifically versions up to and including 2.2.12. The vulnerability stems from the bulkTenReviews function, which fails to properly validate user input before passing it to a variable function call mechanism. This flaw allows unauthenticated attackers to invoke arbitrary PHP class methods that either require no parameters or have default values, potentially leading to unauthorized actions. Depending on the methods accessible and the server’s PHP configuration, attackers could achieve information disclosure or even remote code execution. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its threat level. The CVSS v3.1 base score is 7.3, indicating a high severity with network attack vector, low attack complexity, and no privileges or user interaction required. Although no exploits are currently known in the wild, the plugin’s popularity in WooCommerce stores worldwide makes this a critical issue. The lack of official patches at the time of reporting necessitates immediate attention from administrators to mitigate risk.

The impact of CVE-2025-10679 is significant for organizations using the affected ReviewX plugin in their WooCommerce-based WordPress sites. Successful exploitation can lead to unauthorized method invocation within the PHP environment, which may result in sensitive information disclosure or full remote code execution on the web server. This compromises the confidentiality, integrity, and availability of the affected systems. Attackers could leverage this to steal customer data, manipulate reviews or product information, deploy malware, or pivot to other internal systems. Given the plugin’s integration with e-commerce platforms, the breach could also damage customer trust and lead to financial losses. The vulnerability’s ease of exploitation and lack of required authentication make it a prime target for automated attacks and widespread exploitation campaigns once public exploits emerge.

To mitigate CVE-2025-10679, organizations should immediately update the ReviewX plugin to a patched version once available. In the absence of an official patch, administrators should consider temporarily disabling the plugin or restricting access to vulnerable endpoints via web application firewalls (WAFs) or server-level access controls. Implementing strict input validation and sanitization on the bulkTenReviews function can prevent arbitrary method calls. Monitoring web server logs for unusual requests targeting the plugin’s functions can help detect exploitation attempts. Additionally, running WordPress and all plugins with the least privileges necessary and isolating the web server environment can limit the impact of a successful attack. Regular backups and incident response plans should be in place to recover quickly if compromise occurs.