CVE-2025-10734
Sensitive Information Exposure in ReviewX WooCommerce Plugin
Publication date: 2026-03-23
Last updated on: 2026-03-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| reviewx | woocommerce_product_reviews | to 2.2.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-922 | The product stores sensitive information without properly limiting read or write access by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the ReviewX β WooCommerce Product Reviews plugin for WordPress, specifically in all versions up to and including 2.2.12. It is caused by the syncedData function which allows unauthenticated attackers to access sensitive information.
This flaw enables attackers to extract sensitive user data such as user names, email addresses, phone numbers, and physical addresses without needing to be logged in or have any privileges.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive personal information of users, including names, emails, phone numbers, and addresses.
Such exposure can result in privacy violations, identity theft, phishing attacks, and other malicious activities targeting affected users.
Since the vulnerability can be exploited by unauthenticated attackers remotely, it poses a significant risk to the confidentiality of user data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know