CVE-2025-10679
Received Received - Intake
Arbitrary Method Call Vulnerability in ReviewX Plugin Enables RCE

Publication date: 2026-03-23

Last updated on: 2026-03-23

Assigner: Wordfence

Description
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to arbitrary method calls in all versions up to, and including, 2.2.12. This is due to insufficient input validation in the bulkTenReviews function that allows user-controlled data to be passed directly to a variable function call mechanism. This makes it possible for unauthenticated attackers to call arbitrary PHP class methods that take no inputs or have default values, potentially leading to information disclosure or remote code execution depending on available methods and server configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10679
EUVD
EUVD-2025-208924
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
reviewx woocommerce_product_reviews to 2.2.12 (inc)
reviewx reviewx to 2.2.12 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

The vulnerability exists in the ReviewX – WooCommerce Product Reviews plugin for WordPress, in all versions up to and including 2.2.12. It is caused by insufficient input validation in the bulkTenReviews function, which allows user-controlled data to be passed directly to a variable function call mechanism.

This flaw enables unauthenticated attackers to invoke arbitrary PHP class methods that either take no inputs or have default values. Depending on the methods available and the server configuration, this can lead to information disclosure or remote code execution.

Impact Analysis

This vulnerability can have serious impacts including unauthorized information disclosure and remote code execution on the affected server.

Because attackers can call arbitrary PHP methods without authentication, they might access sensitive data or execute malicious code remotely, potentially compromising the entire website or server.

The CVSS v3.1 base score of 7.3 reflects a high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed, affecting confidentiality, integrity, and availability.

Detection Guidance

[{'type': 'paragraph', 'content': "The vulnerability in the ReviewX WooCommerce Product Reviews plugin arises from insufficient input validation in the bulkTenReviews function, allowing unauthenticated attackers to invoke arbitrary PHP class methods. Detection would involve monitoring for unusual or unauthorized REST API calls targeting this plugin's endpoints, especially those related to bulk review operations."}, {'type': 'paragraph', 'content': 'Since the plugin exposes REST API endpoints under the /api/v1 prefix, you can inspect web server logs or use network monitoring tools to detect suspicious POST requests to endpoints related to review bulk operations, such as those invoking bulkTenReviews or similar bulk review management functions.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using grep on web server access logs to find suspicious POST requests to the ReviewX API endpoints, for example:'}, {'type': 'list_item', 'content': "grep -i 'POST /wp-json/api/v1/review/bulkTenReviews' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Or more generally, to find any POST requests to the ReviewX API:'}, {'type': 'list_item', 'content': "grep -i 'POST /wp-json/api/v1/review' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST traffic to the WordPress site and inspect payloads for suspicious method calls or unusual parameters.'}, {'type': 'list_item', 'content': 'Checking WordPress logs or plugin-specific logs (if enabled) for unexpected review bulk operations or errors related to review processing.'}, {'type': 'paragraph', 'content': 'Note that no explicit detection commands or signatures are provided in the available resources, so detection relies on monitoring API usage patterns and logs for anomalous activity targeting the vulnerable plugin endpoints.'}] [1, 2]

Mitigation Strategies

Immediate mitigation steps for this vulnerability include:

  • Update the ReviewX WooCommerce Product Reviews plugin to a version later than 2.2.12 where the vulnerability is fixed, if such a version is available.
  • If an update is not immediately possible, restrict access to the vulnerable REST API endpoints by implementing firewall rules or web application firewall (WAF) rules to block unauthenticated requests to the plugin's API routes, especially those under /api/v1/review/* that handle bulk operations.
  • Disable or limit the plugin's REST API access to authenticated users only, if configurable, to prevent unauthenticated attackers from exploiting the arbitrary method call vulnerability.
  • Monitor logs for suspicious activity targeting the plugin's API endpoints and respond promptly to any detected exploitation attempts.

These steps help prevent unauthenticated attackers from invoking arbitrary PHP methods via the bulkTenReviews function, thereby reducing the risk of information disclosure or remote code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10679. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart