A high-severity vulnerability exists in the "Widgets for Google Reviews" WordPress plugin, affecting all versions up to and including 13. This flaw allows an attacker to inject malicious code into a website, which then executes in the browsers of unsuspecting visitors and administrators. Successful exploitation could lead to the theft of sensitive user data, account compromise, or website defacement.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. It occurs because the plugin fails to properly sanitize user-supplied input before storing it in the database and rendering it on web pages. An attacker can exploit this by submitting specially crafted input, such as a malicious script embedded within a review or a widget configuration setting. This malicious script is then permanently stored on the server and is served to any user who views the affected page, executing within their browser context to steal session cookies, capture credentials, or redirect them to malicious websites.

This vulnerability is rated as High severity with a CVSS score of 7.2. Exploitation could have a significant negative impact on the business, leading to reputational damage if the website is defaced or used to attack customers. It poses a direct risk of data breach, as attacker-controlled scripts could steal sensitive user information or administrator session tokens, potentially leading to a full site takeover. The compromise of user accounts could result in regulatory fines and a loss of customer trust.

Immediate Action: Apply vendor security updates immediately to patch the "Widgets for Google Reviews" plugin to a version higher than 13. After patching, it is critical to monitor for any signs of exploitation that may have occurred prior to the update and thoroughly review web server and application access logs for suspicious activity.

Proactive Monitoring: Implement monitoring to detect potential exploitation attempts. Security teams should search web server logs for HTTP requests containing common XSS payloads (e.g., <script>, onerror, onload attributes) directed at the plugin's endpoints. Utilize a Web Application Firewall (WAF) with rules designed to detect and block XSS attacks. Monitor website pages for any unauthorized modifications or unexpected behavior.

Compensating Controls: If patching cannot be performed immediately, the following controls can reduce risk:

• Temporarily disable the "Widgets for Google Reviews" plugin until a patch can be applied.
• Configure a Web Application Firewall (WAF) to filter and block malicious script submissions targeting the plugin.
• Implement a strict Content Security Policy (CSP) to prevent the browser from executing untrusted inline scripts.

Public Exploit Available: false

Given the high severity (CVSS 7.2) of this vulnerability and its presence in a widely used WordPress plugin, we recommend that organizations treat this as a high-priority issue. The risk of website compromise, data theft, and reputational harm is significant. Although this CVE is not currently listed on the CISA KEV catalog, its characteristics make it an attractive target for attackers. Organizations must apply the vendor-supplied patch immediately and implement the recommended monitoring controls to secure their web assets.