The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versio

GOOGLE

WORDPRESS

12-12-2025 14:22

CVE-2025-9436 Vulnerabilidad documentada

Sin puntuación

Tags

#wordpress

#google

#site

#plugin

#cross

#widgets for google reviews

#web

#cross-site

#/widgets(.*)for(.*)google(.*)reviews/iU

#cross-site scripting

#attackers

#authenticated

#arbitrary

#vulnerable

#scripting

#inject

#execute

#attack

#access

Descripción

The Widgets for Google Reviews plugin WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versions up to, and including, 13.2.1 due insufficient input sanitization output escaping on user supplied attributes. This makes it possible authenticated attackers, with contributor-level access above, inject arbitrary web scripts pages that will execute whenever a accesses an injected page.

https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.0/trustindex-plugin.class.php#L803

https://www.wordfence.com/threat-intel/vulnerabilities/id/94974552-1c52-417b-9b4e-c30fd13a8ad4?source=cve

Referencia

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-9436

Resultados similares

Coincidentes en almenos en 50% de los tags

15-12-2025 CVE-2025-14383
The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via t...
Ver información

15-12-2025 CVE-2025-13355
The URL Shortify WordPress plugin before 1.11.4 does not sanitise and escape a parameter befor...
Ver información