CVE-2025-12510 is a stored cross-site scripting (XSS) vulnerability identified in the Widgets for Google Reviews plugin for WordPress, affecting all versions up to and including 13.2.4. The root cause is insufficient sanitization and escaping of user-supplied data imported from Google Reviews, which the plugin displays on WordPress sites. This flaw allows unauthenticated attackers to inject malicious JavaScript code by submitting a crafted review to a Google Place associated with the vulnerable site. When an administrator or user accesses the imported reviews via the WordPress admin panel or potentially the frontend, the malicious script executes in their browser context. This can lead to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability does not require authentication or user interaction, increasing its risk profile. The CVSS 3.1 score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) indicates network exploitable, low attack complexity, no privileges or user interaction needed, with a scope change and partial confidentiality and integrity impact but no availability impact. No public exploits are known yet, but the vulnerability's nature and the widespread use of WordPress and Google Reviews widgets make it a significant threat. The vulnerability was reserved on 2025-10-30 and published on 2025-12-06, with no patch links currently available, indicating that mitigation may require manual intervention until an official update is released.

For European organizations, this vulnerability poses a significant risk to websites using the Widgets for Google Reviews plugin on WordPress, particularly those that rely on Google Reviews for customer engagement and reputation management. Exploitation can lead to unauthorized script execution in administrative contexts, potentially allowing attackers to hijack admin sessions, manipulate site content, or perform unauthorized administrative actions. This compromises the confidentiality and integrity of the affected systems and could lead to reputational damage, data breaches, or further compromise of internal networks. Given the plugin's integration with Google Places data, attackers can leverage publicly accessible review submission mechanisms to inject malicious payloads without direct access to the target system. This increases the attack surface and risk for organizations with an active online presence. The vulnerability does not impact availability directly but can facilitate further attacks that may disrupt services. European e-commerce, hospitality, and service sectors that heavily use Google Reviews widgets are particularly vulnerable, as attackers may exploit this vector to damage customer trust or conduct phishing campaigns. The lack of authentication and user interaction requirements further amplifies the threat, making it easier for attackers to exploit at scale.

Immediate mitigation should focus on monitoring and restricting the integration of Google Reviews data until a patch is available. Organizations should: 1) Disable or remove the Widgets for Google Reviews plugin temporarily if feasible. 2) Implement web application firewall (WAF) rules to detect and block suspicious script payloads in review data. 3) Apply manual input validation and output encoding on imported review content if custom code is used. 4) Limit administrative access to trusted personnel and enforce multi-factor authentication to reduce risk from compromised admin sessions. 5) Monitor logs for unusual activity or script execution patterns in the WordPress admin panel. 6) Stay updated with vendor announcements and apply official patches immediately once released. 7) Consider isolating the WordPress admin interface behind VPN or IP whitelisting to reduce exposure. 8) Educate site administrators about the risk of clicking on suspicious reviews or links. These steps go beyond generic advice by focusing on controlling the data ingestion point and hardening administrative access to mitigate exploitation risk until a vendor patch is available.