The vulnerability identified as CVE-2025-10736 affects the ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema plugin for WordPress, specifically versions up to and including 2.2.10. The root cause is improper authorization checks in the userAccessibility() function, which is responsible for controlling access to certain REST API endpoints. Due to this flaw, unauthenticated attackers can bypass authorization controls and access protected API endpoints that should only be available to authorized users. This unauthorized access enables attackers to extract sensitive information related to users and the plugin’s configuration, and potentially modify this data. The vulnerability is categorized under CWE-285 (Improper Authorization), indicating a failure to properly restrict access to resources. The CVSS v3.1 base score is 6.5, reflecting a medium severity with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and impacts on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). Although no known exploits have been reported in the wild, the ease of exploitation and the sensitive nature of the data accessible through the API make this a significant concern for affected sites. The plugin is widely used in WooCommerce-based e-commerce sites, which are common globally, making the vulnerability relevant to many organizations relying on WordPress for online retail.

The primary impact of this vulnerability is unauthorized disclosure and modification of sensitive data related to users and plugin configuration. This can lead to privacy violations, data integrity issues, and potential manipulation of review data that could affect business reputation and customer trust. Attackers could leverage this access to gather intelligence for further attacks, including social engineering or targeted exploitation of user accounts. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely and at scale, increasing the risk of widespread data breaches. Organizations running WooCommerce stores with the affected plugin may face regulatory compliance issues if customer data is exposed. Additionally, the integrity of product reviews and ratings could be compromised, impacting e-commerce credibility and sales. Although availability is not directly affected, the indirect consequences of data manipulation and loss of trust can have significant operational and financial repercussions.

To mitigate this vulnerability, organizations should immediately restrict access to the affected REST API endpoints by implementing strict access controls, such as IP whitelisting or authentication enforcement, until an official patch is released. Monitoring and logging REST API requests can help detect anomalous or unauthorized access attempts early. Administrators should review and harden WordPress and WooCommerce security configurations, disabling unnecessary REST API endpoints if possible. It is critical to update the ReviewX plugin to a patched version once available from the vendor. In the interim, consider disabling the plugin if its functionality is not essential or using alternative plugins with verified security. Conduct regular security audits and vulnerability scans focusing on WordPress plugins to identify and remediate similar issues proactively. Educate site administrators about the risks of unauthorized API access and encourage prompt application of security updates.