CVE-2025-10679
Arbitrary Method Call Vulnerability in ReviewX Plugin Enables RCE
Publication date: 2026-03-23
Last updated on: 2026-03-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| reviewx | woocommerce_product_reviews | to 2.2.12 (inc) |
| reviewx | reviewx | to 2.2.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
The vulnerability exists in the ReviewX β WooCommerce Product Reviews plugin for WordPress, in all versions up to and including 2.2.12. It is caused by insufficient input validation in the bulkTenReviews function, which allows user-controlled data to be passed directly to a variable function call mechanism.
This flaw enables unauthenticated attackers to invoke arbitrary PHP class methods that either take no inputs or have default values. Depending on the methods available and the server configuration, this can lead to information disclosure or remote code execution.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized information disclosure and remote code execution on the affected server.
Because attackers can call arbitrary PHP methods without authentication, they might access sensitive data or execute malicious code remotely, potentially compromising the entire website or server.
The CVSS v3.1 base score of 7.3 reflects a high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed, affecting confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "The vulnerability in the ReviewX WooCommerce Product Reviews plugin arises from insufficient input validation in the bulkTenReviews function, allowing unauthenticated attackers to invoke arbitrary PHP class methods. Detection would involve monitoring for unusual or unauthorized REST API calls targeting this plugin's endpoints, especially those related to bulk review operations."}, {'type': 'paragraph', 'content': 'Since the plugin exposes REST API endpoints under the /api/v1 prefix, you can inspect web server logs or use network monitoring tools to detect suspicious POST requests to endpoints related to review bulk operations, such as those invoking bulkTenReviews or similar bulk review management functions.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using grep on web server access logs to find suspicious POST requests to the ReviewX API endpoints, for example:'}, {'type': 'list_item', 'content': "grep -i 'POST /wp-json/api/v1/review/bulkTenReviews' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Or more generally, to find any POST requests to the ReviewX API:'}, {'type': 'list_item', 'content': "grep -i 'POST /wp-json/api/v1/review' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST traffic to the WordPress site and inspect payloads for suspicious method calls or unusual parameters.'}, {'type': 'list_item', 'content': 'Checking WordPress logs or plugin-specific logs (if enabled) for unexpected review bulk operations or errors related to review processing.'}, {'type': 'paragraph', 'content': 'Note that no explicit detection commands or signatures are provided in the available resources, so detection relies on monitoring API usage patterns and logs for anomalous activity targeting the vulnerable plugin endpoints.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for this vulnerability include:
- Update the ReviewX WooCommerce Product Reviews plugin to a version later than 2.2.12 where the vulnerability is fixed, if such a version is available.
- If an update is not immediately possible, restrict access to the vulnerable REST API endpoints by implementing firewall rules or web application firewall (WAF) rules to block unauthenticated requests to the plugin's API routes, especially those under /api/v1/review/* that handle bulk operations.
- Disable or limit the plugin's REST API access to authenticated users only, if configurable, to prevent unauthenticated attackers from exploiting the arbitrary method call vulnerability.
- Monitor logs for suspicious activity targeting the plugin's API endpoints and respond promptly to any detected exploitation attempts.
These steps help prevent unauthenticated attackers from invoking arbitrary PHP methods via the bulkTenReviews function, thereby reducing the risk of information disclosure or remote code execution.