{"api_version":"1","generated_at":"2026-05-01T21:55:31+00:00","cve":"CVE-2025-10736","urls":{"html":"https://cve.report/CVE-2025-10736","api":"https://cve.report/api/cve/CVE-2025-10736.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-10736","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-10736"},"summary":{"title":"ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.10 - Incorrect Authorization to Unauthenticated Information Exposure and Data Manipulation","description":"The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility() function in all versions up to, and including, 2.2.10. This makes it possible for unauthenticated attackers to access protected REST API endpoints, extract and modify information related to users and plugin's configuration","state":"PUBLISHED","assigner":"Wordfence","published_at":"2026-03-23 05:16:04","updated_at":"2026-04-24 16:32:53"},"problem_types":["CWE-285","CWE-285 CWE-285 Improper Authorization"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","data":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/reviewx/2.2.7/app/Rest/Middleware/AuthMiddleware.php#L41","name":"https://plugins.trac.wordpress.org/browser/reviewx/2.2.7/app/Rest/Middleware/AuthMiddleware.php#L41","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/505d7072-8fca-4b86-9b9c-3f39bc4dcfaf?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/505d7072-8fca-4b86-9b9c-3f39bc4dcfaf?source=cve","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-10736","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-10736","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"reviewx","product":"ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema","version":"affected 2.2.10 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2025-09-05T00:00:00.000Z","lang":"en","value":"Discovered"},{"source":"CNA","time":"2025-11-19T16:49:00.000Z","lang":"en","value":"Vendor Notified"},{"source":"CNA","time":"2026-03-22T16:23:54.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"abrahack","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"10736","cve":"CVE-2025-10736","epss":"0.000820000","percentile":"0.238070000","score_date":"2026-04-26","updated_at":"2026-04-27 00:09:42"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-10736","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-23T15:59:42.744976Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-23T15:59:56.033Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema","vendor":"reviewx","versions":[{"lessThanOrEqual":"2.2.10","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"abrahack"}],"descriptions":[{"lang":"en","value":"The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility() function in all versions up to, and including, 2.2.10. This makes it possible for unauthenticated attackers to access protected REST API endpoints, extract and modify information related to users and plugin's configuration"}],"metrics":[{"cvssV3_1":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-285","description":"CWE-285 Improper Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T16:52:17.350Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/505d7072-8fca-4b86-9b9c-3f39bc4dcfaf?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/reviewx/2.2.7/app/Rest/Middleware/AuthMiddleware.php#L41"}],"timeline":[{"lang":"en","time":"2025-09-05T00:00:00.000Z","value":"Discovered"},{"lang":"en","time":"2025-11-19T16:49:00.000Z","value":"Vendor Notified"},{"lang":"en","time":"2026-03-22T16:23:54.000Z","value":"Disclosed"}],"title":"ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.10 - Incorrect Authorization to Unauthenticated Information Exposure and Data Manipulation"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2025-10736","datePublished":"2026-03-23T04:26:48.393Z","dateReserved":"2025-09-19T15:20:07.761Z","dateUpdated":"2026-04-08T16:52:17.350Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-23 05:16:04","lastModifiedDate":"2026-04-24 16:32:53","problem_types":["CWE-285","CWE-285 CWE-285 Improper Authorization"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"10736","Ordinal":"1","Title":"ReviewX – WooCommerce Product Reviews with Multi-Criteria, Remin","CVE":"CVE-2025-10736","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"10736","Ordinal":"1","NoteData":"The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility() function in all versions up to, and including, 2.2.10. This makes it possible for unauthenticated attackers to access protected REST API endpoints, extract and modify information related to users and plugin's configuration","Type":"Description","Title":"ReviewX – WooCommerce Product Reviews with Multi-Criteria, Remin"}]}}}