Attack Vectors

CVE-2025-10736 is a Medium-severity vulnerability (CVSS 6.5) affecting the WordPress plugin ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema (slug: reviewx) in versions up to and including 2.2.10.

Because this issue can be exploited remotely over the network and requires no login, an attacker can target exposed sites by sending requests directly to the site’s REST API endpoints associated with ReviewX. No user interaction is required, which increases the likelihood of automated scanning and opportunistic exploitation.

Reference: CVE-2025-10736

Security Weakness

The root cause is an incorrect authorization (improper permission checking) related to the plugin’s userAccessibility() function. This weakness allows unauthenticated requests to reach REST API functionality that should be protected.

As a result, attackers may be able to access protected REST API endpoints and extract or modify information related to users and the plugin’s configuration. (Source: Wordfence vulnerability advisory)

Remediation guidance is straightforward: update ReviewX to version 2.2.12 or newer, which contains the patch.

Technical or Business Impacts

For business leaders, the key risk is that ReviewX sits close to high-value business functions—customer experience, reputation, and conversion—because it influences how product reviews and related signals appear on your website. With CVE-2025-10736, an attacker could potentially access information and manipulate plugin-related configuration without authentication, creating both security and brand exposure.

Potential impacts include:

Reputation and revenue risk: If review-related settings or associated data are modified, customers may lose trust in the authenticity of on-site reviews. Even temporary disruption can affect conversion rates, paid media efficiency, and brand sentiment.

Compliance and privacy considerations: The advisory indicates attackers may access information “related to users.” If that data includes personal information in your specific deployment, this can trigger internal incident response, legal review, and potential regulatory obligations depending on jurisdiction and data type.

Operational disruption: Security teams may need to investigate logs, validate review integrity, and confirm configuration settings—work that pulls time away from marketing operations and eCommerce optimization.

Similar Attacks

Authorization flaws that allow unauthenticated access or changes in WordPress environments are a recurring pattern. Examples include:

CVE-2017-5487 – A WordPress REST API vulnerability that allowed content manipulation under certain conditions, illustrating how REST endpoints can become high-impact when authorization boundaries fail.

CVE-2018-19207 – A WordPress plugin authorization/validation weakness (WP GDPR Compliance) that enabled unauthorized actions, demonstrating how plugin-level permission issues can escalate into serious business risk.