Site Reviews is a popular WordPress plugin designed to collect and display customer reviews on websites. It offers an easy-to-use interface for both site owners and customers to submit and view reviews. However, a critical vulnerability, CVE-2025-1232, has been discovered in the plugin. This flaw allows unauthenticated users to inject malicious JavaScript into the review form, which can lead to Stored Cross-Site Scripting (XSS) attacks. These attacks could result in unauthorized account creation with admin privileges, ultimately compromising the security of the affected website. With over 100,000 active installations, this vulnerability poses a significant threat to WordPress sites using the Site Reviews plugin.
| CVE | CVE-2025-1232 |
| Plugin | Site Reviews < 7.2.5 |
| Critical | High |
| All Time | 2 787 212 |
| Active installations | 100 000+ |
| Publicly Published | March 11, 2025 |
| Last Updated | March 11, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1232 https://wpscan.com/vulnerability/c4ea8357-ddd7-48ac-80c9-15b924715b14/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| February 11, 2025 | Plugin testing and vulnerability detection in the Site Reviews have been completed |
| February 11, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 11, 2025 | Registered CVE-2025-1232 |
Discovery of the Vulnerability
CVE-2025-1232 was discovered during a security audit of the Site Reviews plugin. The vulnerability is located in the review submission form, which allows users to submit reviews for products or services without any authentication. The plugin fails to properly sanitize the “Title” and “Description” fields of the review form, leaving them vulnerable to malicious input. An unauthenticated attacker can inject a malicious JavaScript payload into these fields. This input is then stored in the plugin’s database and executed whenever the “Latest Reviews” section is displayed on a page. The lack of input sanitization in the review form makes this vulnerability especially dangerous, as it can be exploited by any unauthenticated user.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a common web application vulnerability that allows attackers to inject malicious scripts into a website, which are then executed in the browsers of users visiting the site. XSS vulnerabilities are particularly dangerous because they can lead to session hijacking, data theft, and unauthorized actions such as account takeover. In WordPress, XSS vulnerabilities often occur in plugins that allow users to submit content, such as comments, reviews, or form submissions, without proper sanitization. A real-world example of XSS exploitation in WordPress was seen in the WordPress plugin WPForms, where attackers could inject JavaScript into form fields. In CVE-2025-1232, the Site Reviews plugin allows unauthenticated users to exploit this type of vulnerability by injecting malicious scripts into review fields.
Exploiting the XSS Vulnerability
To exploit CVE-2025-1232, an attacker with No privileges:
POC:
1) From Unauth user put to the "Review Form" this payload DELETED in title and Description 2) To trigger XSS you should go to any page with Latest Reviews____
The potential risks of CVE-2025-1232 are substantial. If exploited, an attacker could hijack the session of an administrator or another user with elevated privileges, gaining full control over the WordPress site. This could lead to unauthorized actions such as installing malicious plugins, modifying site content, or stealing sensitive information. In a real-world scenario, an attacker could use this vulnerability to escalate their privileges and create a backdoor admin account, providing them with persistent access to the site even after the vulnerability is patched. This is particularly concerning for websites that handle sensitive data, such as e-commerce stores or membership platforms. Exploitation of this vulnerability could lead to severe consequences, including data breaches, financial loss, and reputational damage. Furthermore, the attacker could deface the website, inject malicious content, or spread malware to visitors.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2025-1232, administrators should immediately update the Site Reviews plugin to the latest patched version once it becomes available. Additionally, administrators should ensure that all user input fields, especially those in public-facing forms such as the review submission form, are properly sanitized and validated. Implementing a Content Security Policy (CSP) can help limit the impact of XSS attacks by restricting the sources from which scripts can be executed. Additionally, site administrators should restrict the permissions of unauthenticated users and regularly review user roles to prevent privilege escalation. Limiting the use of JavaScript in input fields and using sanitization functions such as wp_kses() can also prevent malicious input from being executed. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-1232, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.