{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9899", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T23:40:34.796Z", "datePublished": "2025-09-27T06:47:14.612Z", "dateUpdated": "2026-04-08T17:13:34.780Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:34.780Z"}, "affected": [{"vendor": "trustreviews", "product": "Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the feed_save function. This makes it possible for unauthenticated attackers to create or modify feed entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms <= 1.0 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6d22101-06ef-4492-8ba9-8cf2ca1f4474?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/trust-reviews/trunk/includes/class-feed-serializer.php#L12"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-09-26T18:34:01.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-29T19:09:05.202258Z", "id": "CVE-2025-9899", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-29T19:09:22.649Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9899", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-29T19:09:05.202258Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-29T19:09:15.680Z"}}], "cna": {"title": "Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms <= 1.0 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "trustreviews", "product": "Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-26T18:34:01.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6d22101-06ef-4492-8ba9-8cf2ca1f4474?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/trust-reviews/trunk/includes/class-feed-serializer.php#L12"}], "descriptions": [{"lang": "en", "value": "The Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the feed_save function. This makes it possible for unauthenticated attackers to create or modify feed entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:34.780Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9899", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:34.780Z", "dateReserved": "2025-09-02T23:40:34.796Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-27T06:47:14.612Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the feed_save function. This makes it possible for unauthenticated attackers to create or modify feed entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9899", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-27T07:15:35.053", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/trust-reviews/trunk/includes/class-feed-serializer.php#L12"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6d22101-06ef-4492-8ba9-8cf2ca1f4474?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:27:45.750977+00:00", "value": {"mitigation_remediation": ["Update the Trust Reviews plugin to the latest release (any version newer than 1.0).", "If an update cannot be performed immediately, disable or uninstall the plugin to remove the vulnerable endpoint.", "If the plugin must remain active, enforce a nonce or restrict the feed_save action to strictly authenticated and authorized admin users by modifying the theme\u2019s functions.php or via a custom plugin hook."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery that permits unauthenticated attackers to create or modify feed entries via the plugin's feed_save function"}, "threat_synthesis": {"affected_systems": "All installations of the Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms running WordPress version 1.0 or earlier are affected. The issue resides in the plugin\u2019s core code delivered with versions up to and including 1.0.", "description_and_impact": "The Trust Reviews plugin for WordPress suffers from a cross\u2011site request forgery flaw caused by missing or incorrect nonce validation on the feed_save handler. The vulnerable code allows an attacker to submit a forged request that creates or changes feed entries without authentication. Depending on the site's configuration, this could lead to unauthorized content injection or manipulation of review feeds, degrading the authenticity of user data and potentially harming the site's reputation.", "risk_and_exploitability": "The CVSS score of 6.1 reflects medium severity and the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires no credentials; an attacker can lure a site administrator to click a crafted link or submit a malicious form expression using the forgeable feed_save endpoint. While the low EPSS suggests limited large\u2011scale abuse, targeted attacks against sites that rely heavily on the plugin\u2019s review feeds are still possible."}}}}, "created": "2025-09-29T09:29:48.937795+00:00", "updated": "2026-04-20T19:30:06.169763+00:00", "vendors": ["trustreviews", "trustreviews$PRODUCT$trust_reviews_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}