CVE-2025-10734 identifies a vulnerability classified under CWE-922 (Insecure Storage of Sensitive Information) in the ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema WordPress plugin. This vulnerability exists in all versions up to and including 2.2.12. The root cause is improper handling of sensitive user data within the syncedData function, which allows unauthenticated attackers to retrieve sensitive information such as user names, email addresses, phone numbers, and physical addresses. The flaw arises because the plugin exposes this data without adequate access controls or encryption, enabling remote attackers to access it over the network without authentication or user interaction. The vulnerability affects the confidentiality of user data but does not impact data integrity or system availability. The CVSS v3.1 base score is 5.3, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The scope remains unchanged (S:U), and only confidentiality is impacted (C:L). No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability poses a significant privacy risk to users of affected e-commerce sites, potentially leading to data leakage and privacy violations. The plugin is widely used in WooCommerce-based WordPress e-commerce platforms, which are popular globally, especially in countries with high WordPress adoption. The vulnerability underscores the importance of secure coding practices around sensitive data storage and access control in WordPress plugins.

The primary impact of CVE-2025-10734 is the unauthorized disclosure of sensitive user information, including personally identifiable information (PII) such as names, emails, phone numbers, and addresses. This exposure can lead to privacy violations, identity theft, phishing attacks, and targeted social engineering campaigns against affected users. For organizations, the data leakage can result in reputational damage, loss of customer trust, and potential regulatory penalties under data protection laws such as GDPR or CCPA. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the risk of mass data exposure. However, the vulnerability does not allow attackers to modify data or disrupt service, limiting the impact to confidentiality only. E-commerce businesses relying on the ReviewX plugin are at particular risk, as their customer databases may be exposed. The absence of known exploits in the wild currently reduces immediate risk, but the ease of exploitation and sensitive nature of the data make this a significant concern for organizations worldwide.

1. Immediate mitigation involves updating the ReviewX plugin to a patched version once available. Since no patch links are currently provided, organizations should monitor vendor advisories closely. 2. Until a patch is released, restrict access to the syncedData function endpoint by implementing web application firewall (WAF) rules to block unauthenticated requests targeting this function. 3. Employ network-level access controls to limit exposure of the WordPress admin and plugin endpoints to trusted IP addresses only. 4. Review and audit all plugins for unnecessary data exposure and disable or remove plugins that are not essential. 5. Implement strict role-based access controls (RBAC) within WordPress to minimize data access. 6. Monitor logs for unusual access patterns or repeated requests to the syncedData endpoint. 7. Educate development teams on secure coding practices, especially regarding sensitive data handling and access control. 8. Consider encrypting sensitive data at rest and in transit within the application to reduce impact if exposed. 9. Conduct regular security assessments and penetration testing focused on plugin vulnerabilities. 10. Prepare incident response plans for potential data breaches involving customer PII.