CVE-2026-12154 in Reviews Widgets for Google, Yelp & TripAdvisor Plugininfo

Summary

by MITRE • 07/06/2026

The Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_id' shortcode attribute of the [fbrev] shortcode in versions up to and including 2.7.3. This is due to insufficient input sanitization and output escaping in the Feed_Shortcode::fbrev() method, which passes the raw shortcode attribute through Feed_Old::get_feed() into the View::render() method, where it is echoed directly into the data-id HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/06/2026

The vulnerability in question affects the Reviews Widgets for Google Yelp & TripAdvisor plugin for WordPress, specifically targeting versions up to and including 2.7.3. This security flaw represents a classic stored cross-site scripting vulnerability that exploits insufficient input sanitization and output escaping mechanisms within the plugin's shortcode handling functionality. The vulnerability manifests through the 'page_id' shortcode attribute of the [fbrev] shortcode, creating a persistent vector for malicious script injection that can affect users across multiple platforms including Google, Yelp, and TripAdvisor reviews.

The technical execution path begins with the Feed_Shortcode::fbrev() method which fails to properly sanitize the 'page_id' parameter before processing. This unsanitized input flows through the Feed_Old::get_feed() method without adequate validation or filtering mechanisms, ultimately reaching the View::render() method where the insecure practice of directly echoing the parameter into the data-id HTML attribute occurs. The critical failure lies in the absence of esc_attr() function call during output rendering, which should have escaped the attribute value to prevent script execution within HTML contexts. This vulnerability is classified under CWE-79 as a cross-site scripting flaw and aligns with ATT&CK technique T1566.001 for malicious content injection through web applications.

The operational impact of this vulnerability extends significantly given that it requires only contributor-level access or higher to exploit, making it particularly dangerous in multi-user WordPress environments where less privileged users may have editorial capabilities. Authenticated attackers can inject arbitrary web scripts that persist in the affected pages and execute whenever any user accesses those pages, potentially leading to session hijacking, data theft, or further compromise of the WordPress installation. The stored nature of this vulnerability means that malicious scripts remain active until manually removed from the content, creating ongoing security risks for all users who view the compromised pages.

Security mitigations for this vulnerability should focus on implementing proper input validation and output escaping throughout the plugin's shortcode processing pipeline. The immediate fix involves adding esc_attr() calls to all shortcode attribute outputs and implementing robust sanitization routines that validate the 'page_id' parameter against expected formats and ranges. Additionally, administrators should consider implementing role-based access controls to limit contributor-level permissions where possible, as well as monitoring for suspicious content modifications. The vulnerability demonstrates the importance of following secure coding practices such as those outlined in the OWASP Secure Coding Guidelines and emphasizes the need for comprehensive input validation before any data is processed or rendered in HTML contexts. Regular security audits and plugin updates should be implemented to prevent similar vulnerabilities from persisting in WordPress installations, particularly given that this flaw affects a widely used review widget plugin that may be present on numerous websites across different industries and organizations.

Responsible

Wordfence

Reservation

06/12/2026

Disclosure

07/06/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!