CVE-2025-10679
Published: 23 March 2026
Summary
CVE-2025-10679 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly counters the insufficient input validation in the bulkTenReviews function by requiring validation of user-controlled data before it reaches the variable function call mechanism.
Mitigates the vulnerability comprehensively by mandating timely identification, reporting, and patching of the arbitrary method call flaw in ReviewX plugin versions up to 2.2.12.
Enables detection of the known CVE-2025-10679 in the ReviewX plugin through vulnerability scanning, supporting proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE/info disclosure via arbitrary method invocation in a public WordPress plugin (web app).
NVD Description
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to arbitrary method calls in all versions up to, and including, 2.2.12. This is due to insufficient input validation in…
more
the bulkTenReviews function that allows user-controlled data to be passed directly to a variable function call mechanism. This makes it possible for unauthenticated attackers to call arbitrary PHP class methods that take no inputs or have default values, potentially leading to information disclosure or remote code execution depending on available methods and server configuration.
Deeper analysisAI
CVE-2025-10679 is an arbitrary method call vulnerability (CWE-94) in the ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress, affecting all versions up to and including 2.2.12. The issue arises from insufficient input validation in the bulkTenReviews function, which allows user-controlled data to be passed directly to a variable function call mechanism. This flaw has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-03-23.
Unauthenticated attackers can exploit the vulnerability remotely with low complexity and no user interaction required. By supplying malicious input, they can invoke arbitrary PHP class methods that take no inputs or use default values, potentially leading to information disclosure or remote code execution based on the targeted methods and server configuration.
Advisories reference specific vulnerable code locations in the plugin, including ReviewController.php (line 426), ReviewService.php (line 731), Helper.php (line 65), and api.php (line 220). Wordfence's threat intelligence provides further details on the issue (https://www.wordfence.com/threat-intel/vulnerabilities/id/0935ede4-05bc-48a2-94a3-8d92002e02bb?source=cve).
Details
- CWE(s)