CVE-2025-10734 in ReviewX Plugin
Summary
by MITRE • 03/23/2026
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the syncedData function. This makes it possible for unauthenticated attackers to extract sensitive data including user names, emails, phone numbers, addresses.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability identified as CVE-2025-10734 affects the ReviewX plugin for WooCommerce, a popular WordPress extension designed to manage product reviews with multi-criteria evaluation, reminder emails, and integration with Google Reviews. This plugin serves as a critical component for e-commerce websites seeking to enhance customer engagement through review systems and structured data markup. The flaw exists within the plugin's syncedData function which handles data synchronization processes between the plugin and external systems. The vulnerability represents a significant security gap that undermines the confidentiality of sensitive user information stored within the WordPress environment.
The technical implementation of the syncedData function contains a critical flaw that allows unauthenticated attackers to access sensitive user data without requiring any valid credentials or authentication tokens. This function appears to improperly handle data access controls and validation mechanisms, creating an information disclosure pathway that exposes user personal information including usernames, email addresses, phone numbers, and physical addresses. The vulnerability stems from inadequate input validation and insufficient access control measures within the plugin's data handling routines, making it possible for any internet user to exploit this weakness through direct API calls or parameter manipulation.
The operational impact of this vulnerability extends beyond simple data exposure, as it creates potential risks for user privacy and regulatory compliance. E-commerce platforms utilizing this plugin face significant exposure to data breach incidents that could result in customer trust erosion and potential legal consequences under privacy regulations such as gdpr and ccpa. The vulnerability affects all versions up to and including 2.2.12, indicating a widespread issue that likely impacts numerous WordPress installations across various industries. Attackers could leverage this weakness to build comprehensive user profiles for identity theft, social engineering attacks, or targeted phishing campaigns, while also potentially using the exposed contact information for spamming activities.
Security professionals should note this vulnerability aligns with CWE-200 (Information Exposure) and represents a direct violation of the principle of least privilege in software design. The ATT&CK framework categorizes this issue under T1566 (Phishing) and T1071.004 (Application Layer Protocol: DNS) as attackers could potentially use the exposed data to craft more convincing phishing attempts or establish persistent reconnaissance activities. Organizations should immediately implement mitigations including plugin version updates, network-level access controls, and monitoring for unauthorized data access patterns. The vulnerability demonstrates the critical importance of proper input validation and access control implementation in web applications, particularly those handling sensitive user data in e-commerce environments where personal information is routinely processed and stored.