ReviewX flaw enables unauthenticated limited remote code execution

TL;DR — An unauthenticated attacker can trigger arbitrary PHP method calls in the reviewx WordPress plugin, potentially escalating to limited remote code execution depending on reachable classes/methods and server configuration.

What happened

ReviewX is a WordPress plugin that adds WooCommerce product-review functionality (multi-criteria reviews, schema markup, and related review workflows).

Wordfence published CVE-2025-10679, a High-severity issue where insufficient input validation in the bulkTenReviews function allows user-controlled data to flow into a variable function-call mechanism. Per Wordfence, this enables unauthenticated arbitrary PHP class method calls for methods that take no inputs (or have default values), which can potentially lead to information disclosure or remote code execution depending on what methods are reachable in the environment.

This pattern is operationally important because “limited” gadget/method invocation issues are often environment-dependent: impact varies based on installed plugins/themes, autoloaded classes, and what methods can be invoked without arguments — making fleet-wide inventory and prioritization critical for platform teams supporting WordPress at scale.

Who is impacted

• WordPress sites running the reviewx plugin (ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More).
• Deployments where the vulnerable call path is reachable from the public site surface, enabling unauthenticated invocation attempts.

What to do now

• Follow vendor remediation guidance from Wordfence:

  "Update to version 2.3.0, or a newer patched version"

• Inventory where reviewx is deployed (production, staging, customer-managed) and confirm deployed versions.
• Treat this as a potential pre-auth attack surface: review logs/telemetry for suspicious probing against reviewx routes and unusually patterned requests targeting review bulk operations.
• If compromise is suspected, perform standard WordPress incident actions appropriate to your environment (credential rotation for any secrets accessible to PHP/runtime, and integrity checks of plugin/theme files and database content).