CVE-2025-1232
published 2025-03-19CVE-2025-1232: The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to…
PriorityP354high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
1.86%
76.5th percentile
The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to perform Stored XSS attacks
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geminilabs | site_reviews | < 7.2.5 | 7.2.5 |
| msrc | cbl2_dnsmasq_2.89-2_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_dnsmasq_2.85-2_on_cbl_mariner_1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Probe for the presence of the Site Reviews plugin by searching for the 'glsr-form-wrap' string in page bodies, which indicates the vulnerable review submission form is present. ↗
- →Exploit submissions are sent as unauthenticated POST requests to /wp-admin/admin-ajax.php with the parameter action=glsr_public_action and _action=submit-review. Monitor for this combination from unauthenticated sources. ↗
- →Successful exploitation results in a JSON response containing '"success":true' alongside the injected XSS payload 'javascript:alert(document.domain)'. Alert on stored review content containing javascript: URI schemes. ↗
- →The XSS payload is delivered via the 'content' field of the review submission, encoded as a deeply nested HTML entity string. Inspect review content fields for unusual levels of HTML entity encoding (e.g., &amp;amp;...<iframe). ↗
- →Use Shodan/FOFA to identify exposed WordPress instances running Site Reviews by querying for the 'glsr-form' body string or the WordPress component tag. ↗
- →The exploit uses the X-Requested-With: XMLHttpRequest header alongside the AJAX action. WAF rules should flag unauthenticated AJAX requests to admin-ajax.php with action=glsr_public_action. ↗
- ·The exploit requires first enumerating a valid page containing the review form (glsr-form-wrap) via the REST API to extract dynamic nonce, post_id, form_id, form_signature, terms_exist, and honeypot field values. Static replay of the POST request will fail without these values. ↗
- ·A honeypot field name is dynamically extracted from the form (an 8-character hex string) and must be submitted empty. Detection rules should account for this dynamic field name pattern. ↗
- ·The vulnerability affects Site Reviews plugin versions before 7.2.5 only. Instances running 7.2.5 or later are not affected. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6qw8-39x3-j5rj: The Site Reviews WordPress plugin before 7
ghsa_unreviewed·2025-03-19
CVE-2025-1232 [HIGH] CWE-79 GHSA-6qw8-39x3-j5rj: The Site Reviews WordPress plugin before 7
The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to perform Stored XSS attacks
Microsoft
An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.
vendor_msrc·2023-03-14·CVSS 7.5
CVE-2023-28450 [HIGH] An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.
An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitr
No detection rules found.
Nuclei
Site Reviews < 7.2.5 - Unauthenticated Stored XSS
nuclei·CVSS 8.8
CVE-2025-1232 [HIGH] Site Reviews < 7.2.5 - Unauthenticated Stored XSS
Site Reviews < 7.2.5 - Unauthenticated Stored XSS
Site Reviews WordPress plugin before 7.2.5 contains a stored cross-site scripting caused by improper sanitization and escaping of review fields, letting unauthenticated users execute malicious scripts, exploit requires no authentication.
Template:
id: CVE-2025-1232
info:
name: Site Reviews < 7.2.5 - Unauthenticated Stored XSS
author: 0x_Akoko
severity: high
description: |
Site Reviews WordPress plugin before 7.2.5 contains a stored cross-site scripting caused by improper sanitization and escaping of review fields, letting unauthenticated users execute malicious scripts, exploit requires no authentication.
impact: |
Unauthenticated users can execute malicious scripts in the context of site visitors, potentially leading to session hijacki
No writeups or analysis indexed.
2025-03-19
Published