CVE-2025-7327 is a critical vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Programs) affecting the Widget for Google Reviews plugin for WordPress, developed by techlabpro1. The flaw exists in all plugin versions up to and including 1.0.15 and arises from insufficient validation of the 'layout' parameter, which is susceptible to directory traversal attacks. Authenticated users with Subscriber-level privileges or higher can exploit this vulnerability by manipulating the 'layout' parameter to include arbitrary PHP files from the server. This leads to remote file inclusion (RFI), allowing execution of attacker-controlled PHP code within the context of the web server. The vulnerability enables attackers to bypass access controls, escalate privileges, exfiltrate sensitive information, or disrupt service availability. Unlike typical file upload vulnerabilities, this attack vector leverages existing files on the server or uploaded PHP files disguised as safe file types. The vulnerability requires no user interaction beyond authentication, making it easier to exploit in compromised or low-trust environments. The CVSS v3.1 score of 8.8 reflects the network attack vector, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the vulnerability poses a significant threat to WordPress sites using this plugin, especially those with multiple users or weak authentication controls.

The impact of CVE-2025-7327 is substantial for organizations using the affected WordPress plugin. Successful exploitation can lead to full remote code execution on the web server, allowing attackers to execute arbitrary PHP code with the privileges of the web server process. This can result in complete compromise of the affected website, including defacement, data theft, installation of backdoors, or pivoting to internal networks. Confidential data stored or processed by the website may be exposed or altered, undermining data integrity and confidentiality. Availability can also be impacted if attackers disrupt services or deploy ransomware. Since the vulnerability requires only Subscriber-level authentication, attackers can exploit compromised or low-privilege accounts, increasing the attack surface. Organizations with public-facing WordPress sites using this plugin are at risk of reputational damage, regulatory penalties, and operational disruption. The lack of public exploits currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code may emerge. The vulnerability is particularly critical for high-traffic websites, e-commerce platforms, and sites handling sensitive user data.

To mitigate CVE-2025-7327, organizations should immediately update the Widget for Google Reviews plugin to a patched version once available. If no patch is currently released, temporarily disabling or uninstalling the plugin is recommended to eliminate the attack vector. Restricting user roles and permissions to minimize the number of users with Subscriber-level or higher access reduces the risk of exploitation. Implementing web application firewall (WAF) rules to detect and block directory traversal patterns in HTTP requests targeting the 'layout' parameter can provide interim protection. Conduct thorough audits of uploaded files to ensure no unauthorized PHP files exist on the server. Employ strict input validation and sanitization on all user-supplied parameters, especially those used in file inclusion functions. Monitoring server logs for suspicious activity related to file inclusion attempts can help detect exploitation attempts early. Additionally, hardening the PHP configuration to disable dangerous functions like include(), require(), or limiting their use via open_basedir restrictions can reduce impact. Regular backups and incident response plans should be in place to recover quickly if compromise occurs.