Wordpress RCE (CVE-2025-10679)

Overview

A significant security vulnerability, tracked as CVE-2025-10679, has been discovered in the ReviewX plugin for WordPress. This plugin, used for managing product reviews on WooCommerce stores, contains a flaw that could allow an unauthenticated attacker to call arbitrary PHP methods on the server. All versions up to and including 2.2.12 are affected.

Understanding the Vulnerability

The vulnerability resides in the bulkTenReviews function. Due to insufficient validation of user input, an attacker can supply data that is passed directly to a variable function call. This mechanism is misused, enabling the attacker to trigger specific PHP class methods that require no input or have default values.

In simple terms, it’s like an attacker finding a way to press arbitrary, hidden buttons on the server’s backend. While not every button press will have a catastrophic effect, the potential exists to trigger actions that leak sensitive data or, depending on the server’s configuration and available code, execute malicious commands.

Potential Impact

The primary risk is information disclosure, where an attacker could access sensitive data from the database or server. In more severe scenarios, especially on servers with certain PHP classes or configurations enabled, this flaw could be chained with other factors to achieve remote code execution (RCE). RCE would grant the attacker full control over the affected WordPress site, allowing them to deface it, steal customer data, install backdoors, or use it to attack other systems.

Given that the attack requires no authentication, any website running the vulnerable plugin is exposed to exploitation from the public internet.

Remediation and Mitigation Steps

The plugin developer has released a fix. Immediate action is required.

1. Update Immediately: The single most important step is to update the ReviewX plugin to version 2.2.13 or higher. This update contains the necessary input validation to patch the vulnerability.
2. Verify and Test: After updating, verify the plugin version in your WordPress admin panel and test your product review functionality to ensure it operates correctly.
3. Monitor for Suspicious Activity: Review your site’s access and error logs for any unusual activity, particularly around the time before the update was applied. Look for unexpected POST requests to WordPress admin-ajax.php or similar endpoints.
4. Follow General Security Hygiene: This incident underscores the importance of keeping all website components updated. Regularly update WordPress core, all plugins, and your theme. Consider using a web application firewall (WAF) to help block exploit attempts.

Staying informed about critical vulnerabilities is key to maintaining security. Recently, we’ve seen other urgent threats, such as the DarkSword iOS Exploit Kit and actively exploited Chrome zero-days, which also required prompt patching. Proactive update management is your best defense.