CVE-2025-12510 identifies a stored Cross-Site Scripting vulnerability in the Widgets for Google Reviews plugin for WordPress, affecting all versions up to 13.2.4. The vulnerability stems from the plugin's failure to properly sanitize and escape input data imported from Google Reviews, which is then embedded into web pages without adequate neutralization. This allows an unauthenticated attacker to inject arbitrary JavaScript code by submitting a malicious review to a Google Place associated with the vulnerable WordPress site. When an administrator or user accesses the imported reviews via the admin panel or potentially the frontend, the malicious script executes in their browser context. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized administrative actions. The CVSS 3.1 score of 7.2 reflects that the attack can be performed remotely over the network without authentication or user interaction, and the vulnerability affects the security scope beyond the vulnerable component. Although no known exploits have been reported in the wild, the ease of exploitation and potential impact make this a significant threat. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation. The plugin is widely used in WordPress sites to display Google Reviews, making many websites potentially vulnerable until patched. The lack of a patch link indicates that a fix may not yet be available, emphasizing the need for interim mitigations.

For European organizations, this vulnerability poses a significant risk to websites that utilize the Widgets for Google Reviews plugin to display customer feedback. Exploitation could lead to unauthorized script execution in administrative contexts, potentially allowing attackers to hijack admin sessions, steal sensitive data, or perform unauthorized actions within the WordPress environment. This can compromise the confidentiality and integrity of organizational data and disrupt website operations. Public-facing websites relying on Google Reviews for reputation management are particularly vulnerable, as attackers can leverage the review submission process to inject malicious payloads. The impact extends to customer trust and brand reputation, especially for e-commerce, hospitality, and service sectors prevalent in Europe. Additionally, regulatory frameworks such as GDPR impose strict data protection requirements, and exploitation of this vulnerability could lead to compliance violations and associated penalties. The vulnerability's network-exploitable nature without authentication increases the attack surface, making it easier for threat actors to target European organizations with minimal barriers.

Organizations should prioritize updating the Widgets for Google Reviews plugin to a patched version once it becomes available from the vendor. Until a patch is released, administrators should consider disabling the plugin or removing the Google Reviews widget from their sites to eliminate exposure. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injection patterns in incoming review data can provide interim protection. Additionally, organizations can enforce strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on their websites. Regularly monitoring Google Places reviews for suspicious or unexpected content can help identify potential attack attempts early. Site administrators should also ensure that WordPress and all plugins are kept up to date and conduct security audits focusing on input validation and output encoding practices. Employing security plugins that sanitize user-generated content and restrict administrative access to trusted personnel further reduces risk. Finally, educating staff about the risks of XSS and safe review management practices can enhance overall security posture.