CVE-2025-10736 MEDIUM

CVE-2025-10736: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.10 - Incorrect Authorization to Unauthenticated Information Exposure and Data Manipulation

Vendor Reviewx
Product ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Weakness CWE-285
Published March 23, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility() function in all versions up to, and including, 2.2.10. This makes it possible for unauthenticated attackers to access protected REST API endpoints, extract and modify information related to users and plugin's configuration

Explanation of Vulnerability in Simple Terms

02Summary

ReviewX for WooCommerce versions up to 2.2.10 contain an improper access control vulnerability. An attacker can read and modify sensitive data without authentication. The vulnerability affects the plugin's core functionality and requires no user interaction to exploit.

What an attacker can do

03Attacker Capabilities

Read and modify sensitive data in the plugin without logging in.

Potential impact on your site

04Site Impact

Attackers can access and alter review data, ratings, and potentially customer information stored by the plugin.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 23, 2026 CVE published
April 8, 2026 Record updated