cbcvebase.
CVE-2025-1232
published 2025-03-19

CVE-2025-1232: The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to…

PriorityP354high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
1.86%
76.5th percentile
The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to perform Stored XSS attacks

Affected

3 ranges
VendorProductVersion rangeFixed in
geminilabssite_reviews< 7.2.57.2.5
msrccbl2_dnsmasq_2.89-2_on_cbl_mariner_2.0
msrccm1_dnsmasq_2.85-2_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=glsr_public_action&_ajax_request=true&site-reviews%5B_action%5D=submit-review
  • Probe for the presence of the Site Reviews plugin by searching for the 'glsr-form-wrap' string in page bodies, which indicates the vulnerable review submission form is present.
  • Exploit submissions are sent as unauthenticated POST requests to /wp-admin/admin-ajax.php with the parameter action=glsr_public_action and _action=submit-review. Monitor for this combination from unauthenticated sources.
  • Successful exploitation results in a JSON response containing '"success":true' alongside the injected XSS payload 'javascript:alert(document.domain)'. Alert on stored review content containing javascript: URI schemes.
  • The XSS payload is delivered via the 'content' field of the review submission, encoded as a deeply nested HTML entity string. Inspect review content fields for unusual levels of HTML entity encoding (e.g., &amp;amp;amp;...&lt;iframe).
  • Use Shodan/FOFA to identify exposed WordPress instances running Site Reviews by querying for the 'glsr-form' body string or the WordPress component tag.
  • The exploit uses the X-Requested-With: XMLHttpRequest header alongside the AJAX action. WAF rules should flag unauthenticated AJAX requests to admin-ajax.php with action=glsr_public_action.
  • ·The exploit requires first enumerating a valid page containing the review form (glsr-form-wrap) via the REST API to extract dynamic nonce, post_id, form_id, form_signature, terms_exist, and honeypot field values. Static replay of the POST request will fail without these values.
  • ·A honeypot field name is dynamically extracted from the form (an 8-character hex string) and must be submitted empty. Detection rules should account for this dynamic field name pattern.
  • ·The vulnerability affects Site Reviews plugin versions before 7.2.5 only. Instances running 7.2.5 or later are not affected.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.