Stored Cross-Site Scripting in Reviews Widgets for Google, Yelp & TripAdvisor Plugin by WordPress
CVE-2026-12154
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 6 July 2026
What is CVE-2026-12154?
The Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress suffers from a stored cross-site scripting vulnerability. Affected versions up to and including 2.7.3 exhibit inadequate input sanitization and output escaping in the handling of the 'page_id' shortcode attribute. This oversight allows authenticated attackers with contributor-level access or higher to inject malicious scripts that will be executed when users visit the compromised pages. This vulnerable function, located in the Feed_Shortcode::fbrev() method, improperly passes raw shortcode attributes into the HTML without necessary escaping, thereby exposing users to potential attacks.
Affected Version(s)
Reviews Widgets for Google, TripAdvisor, Yelp & Recommendations 0 <= 2.7.3