CVE-2025-12510 is a Stored Cross-Site Scripting vulnerability classified under CWE-79, affecting the Widgets for Google Reviews plugin for WordPress in all versions up to and including 13.2.4. The vulnerability stems from insufficient sanitization and escaping of user-supplied data imported from Google Reviews, which the plugin displays within the WordPress admin panel and potentially on the website frontend. An attacker can exploit this by submitting a maliciously crafted review to a Google Place associated with the vulnerable WordPress site. When the plugin imports and renders this review, the embedded script executes in the context of the admin panel or frontend, depending on where the data is displayed. This allows execution of arbitrary JavaScript, which can lead to session hijacking, privilege escalation, or further attacks against site visitors or administrators. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely. The CVSS v3.1 base score is 7.2 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change with partial confidentiality and integrity impact but no availability impact. Although no exploits have been observed in the wild yet, the widespread use of WordPress and this plugin increases the risk of future exploitation. The vulnerability highlights the importance of proper input validation and output encoding when handling third-party data in web applications.

The vulnerability allows unauthenticated remote attackers to inject and execute arbitrary JavaScript code within the WordPress admin panel and potentially on the frontend of affected sites. This can lead to theft of administrator session cookies, unauthorized actions within the admin interface, defacement, or distribution of malware to site visitors. The compromise of admin accounts can result in full site takeover, data breaches, and disruption of business operations. Since the attack vector is through Google Reviews data, organizations relying on this plugin for customer feedback display are at risk without direct user interaction or authentication. The scope includes all sites using the vulnerable plugin versions, which could be substantial given WordPress’s market share and the popularity of Google Reviews widgets. The confidentiality and integrity of site data and user information are at risk, though availability impact is minimal. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge.

Organizations should immediately update the Widgets for Google Reviews plugin to a patched version once available. Until a patch is released, administrators should consider disabling the plugin or removing it if feasible. Implementing web application firewall (WAF) rules to detect and block suspicious script payloads in incoming Google Reviews data can provide temporary protection. Restricting administrative access to trusted IP addresses and enforcing multi-factor authentication (MFA) reduces the risk of account compromise if exploitation occurs. Regularly monitoring logs for unusual admin panel activity or unexpected script execution can aid early detection. Site owners should also review the Google Places linked to their sites and monitor for suspicious or malicious reviews. Developers maintaining similar plugins should audit their input sanitization and output encoding practices, especially when importing third-party data. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources.