Stored Cross-Site Scripting in Reviews Widgets for Google, Yelp & TripAdvisor Plugin by WordPress
CVE-2026-12154

6.4MEDIUM

What is CVE-2026-12154?

The Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress suffers from a stored cross-site scripting vulnerability. Affected versions up to and including 2.7.3 exhibit inadequate input sanitization and output escaping in the handling of the 'page_id' shortcode attribute. This oversight allows authenticated attackers with contributor-level access or higher to inject malicious scripts that will be executed when users visit the compromised pages. This vulnerable function, located in the Feed_Shortcode::fbrev() method, improperly passes raw shortcode attributes into the HTML without necessary escaping, thereby exposing users to potential attacks.

Affected Version(s)

Reviews Widgets for Google, TripAdvisor, Yelp & Recommendations 0 <= 2.7.3

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ilkeggs
.