CVE-2026-25344
Information Exposure in RadiusTheme Review Schema
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| radiustheme | review_schema | to 2.2.6 (inc) |
| radius_theme | review_schema | to 2.2.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25344 is a vulnerability in the WordPress Review Schema Plugin versions up to and including 2.2.6 that allows exposure of sensitive system information to unauthorized users.
Specifically, malicious actors with subscriber or developer privileges can retrieve embedded sensitive data that should normally be restricted.
This vulnerability is classified under the OWASP Top 10 category A3: Sensitive Data Exposure and has a moderate severity level with a CVSS score of 6.5.
How can this vulnerability impact me? :
The vulnerability allows users with subscriber or developer privileges to access sensitive information that should be protected.
This exposure could potentially enable further exploitation of the system by attackers.
Although the impact is considered low priority and exploitation is unlikely, such vulnerabilities are often targeted in mass-exploit campaigns affecting many websites regardless of their popularity.
Users are strongly advised to update to version 2.2.7 or later of the plugin to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects WordPress sites using the Review Schema Plugin version 2.2.6 or earlier. Detection involves identifying if your system is running a vulnerable version of this plugin.
You can check the installed plugin version by running commands on your server or through the WordPress admin interface.
- Using WP-CLI: wp plugin list | grep review-schema
- Manually checking the plugin version in the WordPress admin dashboard under Plugins.
Since the vulnerability requires subscriber or developer privileges to exploit, monitoring for unusual access or privilege escalations related to these roles may also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the Review Schema Plugin to version 2.2.7 or later, where the vulnerability has been patched.
Additionally, consider implementing auto-updates for vulnerable plugins to ensure rapid protection against similar issues in the future.
Limit subscriber and developer privileges to trusted users only, as the vulnerability requires these roles to be exploited.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Review Schema Plugin allows unauthorized access to sensitive system information by users with subscriber or developer privileges. Exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Although the impact is considered low priority and unlikely to be exploited, the presence of such a vulnerability increases the risk of data breaches, which can result in regulatory penalties and loss of trust. Therefore, organizations using the affected plugin versions should update to the patched version 2.2.7 or later to maintain compliance with common standards and regulations.