Vulnerabilities and security researches forultimate-reviews ultimate-reviews

Jun 07, 2024

CVE, Research URL: CVE-2022-23979
Home page URL: Security reports for Ultimate Reviews
Application: Ultimate Reviews
Date: Jan 29, 2022
Research Description: Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability discovered in Ultimate Reviews WordPress plugin (versions <= 3.0.15).
Affected versions: max 3.0.16.
Status: vulnerable

CVE, Research URL: CVE-2024-25597
Home page URL: Security reports for Ultimate Reviews
Application: Ultimate Reviews
Date: Mar 15, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Etoile Web Design Ultimate Reviews allows Stored XSS.This issue affects Ultimate Reviews: from n/a through 3.2.8.
Affected versions: max 3.2.9.
Status: vulnerable

CVE, Research URL: CVE-2020-36726
Home page URL: Security reports for Ultimate Reviews
Application: Ultimate Reviews
Date: Jun 07, 2023
Research Description: The Ultimate Reviews plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.32 via deserialization of untrusted input in several vulnerable functions. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin.
Affected versions: max 2.1.33.
Status: vulnerable

Jun 15, 2025

CVE, Research URL: CVE-2025-49266
Home page URL: Security reports for Ultimate Reviews
Application: Ultimate Reviews
Date: Jun 17, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Reflected XSS.This issue affects Ultimate Reviews: from n/a through <= 3.2.14.
Affected versions: max 3.2.15.
Status: vulnerable

Jan 27, 2026

CVE, Research URL: CVE-2026-24634
Home page URL: Security reports for Ultimate Reviews
Application: Ultimate Reviews
Date: Jan 23, 2026
Research Description: Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Reviews: from n/a through <= 3.2.16.
Affected versions: max 3.2.17.
Status: vulnerable

Jun 16, 2026

CVE, Research URL: 75ad8726-09a5-49b7-9534-61371a543764
Home page URL: Security reports for Ultimate Reviews
Application: Ultimate Reviews
Date: -
Research Description: Ultimate Reviews [ultimate-reviews] < 2.1.33 Ultimate Reviews < 2.1.33 - Unauthenticated PHP Object Injection There were three occurrences in the plugin where an unauthenticated user could inject a serialized PHP object via a cookie, which could potentially lead to a PHP object injection vulnerability.
Affected versions: max 2.1.33.
Status: vulnerable

CVE, Research URL: df3690bd6a84bf7178e96f950b167e2809ab265f
Home page URL: Security reports for Ultimate Reviews
Application: Ultimate Reviews
Date: Nov 10, 2020
Research Description: Ultimate Reviews [ultimate-reviews] < 2.1.33 Ultimate Reviews < 2.1.33 - PHP Object Injection The Ultimate Reviews plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.32 via deserialization of untrusted input in several vulnerable functions. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin.
Affected versions: max 2.1.33.
Status: vulnerable

CVE, Research URL: 6f21ed04a9f12ae477da929e077a2ecc2ffeb911
Home page URL: Security reports for Ultimate Reviews
Application: Ultimate Reviews
Date: Nov 10, 2020
Research Description: Ultimate Reviews [ultimate-reviews] < 2.1.33 WordPress Ultimate Reviews plugin <= 2.1.32 - Insecure Deserialization vulnerability leading to unauthenticated PHP object injection Insecure Deserialization vulnerability leading to unauthenticated PHP object injection found by Jerome Bruandet (NinTechNet) in WordPress Ultimate Reviews plugin (versions <= 2.1.32).
Affected versions: max 2.1.33.
Status: vulnerable