Stored Cross-Site Scripting in Social Reviews & Recommendations Plugin for WordPress
CVE-2025-12705

7.2HIGH

Key Information:

Vendor: WordPress
Status: Reviews Widget For Google, Yelp & Recommendations
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-12705?

The Social Reviews & Recommendations plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) due to poor input sanitization and output escaping in the 'trim_text' function. This vulnerability affects all versions up to and including version 2.5, allowing unauthenticated attackers to insert arbitrary web scripts into pages. When users access these compromised pages, the injected scripts execute, potentially leading to significant security risks. A partial patch was introduced in version 2.5, but it is crucial for users to ensure they are using the latest version to mitigate this risk.

Affected Version(s)

Reviews Widget for Google, Yelp & Recommendations * <= 2.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/fb-reviews-wid...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Nov 4, 2025

Credit

Kishan Vyas

JSON