{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9436", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-25T13:06:03.706Z", "datePublished": "2025-12-11T03:27:12.000Z", "dateUpdated": "2026-04-08T17:09:53.757Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:53.757Z"}, "affected": [{"vendor": "trustindex", "product": "Widgets for Google Reviews", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "13.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versions up to, and including, 13.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Widgets for Google Reviews <= 13.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trustindex Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/94974552-1c52-417b-9b4e-c30fd13a8ad4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.0/trustindex-plugin.class.php#L803"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-08-25T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-05T18:30:13.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-10T15:02:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-11T15:29:41.886801Z", "id": "CVE-2025-9436", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-11T15:33:55.341Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9436", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-11T15:29:41.886801Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-11T15:30:24.637Z"}}], "cna": {"title": "Widgets for Google Reviews <= 13.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trustindex Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "trustindex", "product": "Widgets for Google Reviews", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "13.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-25T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-05T18:30:13.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-10T15:02:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/94974552-1c52-417b-9b4e-c30fd13a8ad4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.0/trustindex-plugin.class.php#L803"}], "descriptions": [{"lang": "en", "value": "The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versions up to, and including, 13.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:53.757Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9436", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:53.757Z", "dateReserved": "2025-08-25T13:06:03.706Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-11T03:27:12.000Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versions up to, and including, 13.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9436", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-11T04:15:59.920", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.0/trustindex-plugin.class.php#L803"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/94974552-1c52-417b-9b4e-c30fd13a8ad4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:57:30.211536+00:00", "value": {"mitigation_remediation": ["Update the Widgets for Google Reviews plugin to a fixed release (version 13.2.2 or newer).", "Remove any instances of the trustindex shortcode from publicly exposed content until the update is applied or a temporary disable solution is in place.", "Restrict contributor-level access to contributors who are known to require it or consider revoking contributor privileges that can edit content containing the shortcode."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Vulnerable versions of the widget range from the earliest release up through 13.2.1, affecting all WordPress sites that have not upgraded past that point. The plugin, produced by trustindex, is available from the WordPress Plugin Repository and commonly used to display Google Reviews.", "description_and_impact": "The Widgets for Google Reviews plugin for WordPress allows an authenticated user with contributor-level access to store malicious JavaScript via the plugin's trustindex shortcode. The flaw results from insufficient input sanitization and inadequate output escaping on user supplied attributes, enabling the injection of arbitrary scripts that execute when a page containing the shortcode is rendered. This constitutes a Stored Cross\u2011Site Scripting vulnerability (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. Because the flaw requires authentication and sufficient privileges, an attacker would first need to compromise a contributor or higher account or leverage a pre\u2011existing account, and then craft a malicious shortcode that is stored and later rendered to any visitor. Despite the low EPSS, the potential impact on any user who views affected pages warrants rapid patching; the vulnerability is not currently listed in the CISA KEV catalog."}}}}, "created": "2025-12-11T15:16:09.834949+00:00", "updated": "2026-04-21T01:00:12.980864+00:00", "vendors": ["trustindex", "trustindex$PRODUCT$widgets_for_google_reviews", "wordpress", "wordpress$PRODUCT$wordpress"]}